Re: SQL Server Authentication



Thanks Jasper,

Therefore, if I understand this correctly, there isn't a need to use SSL
between the webserver application and the sql server as the login is
encrypted and cannot be swiped in transit? I agree, I prefer to Windows
Authentication, however, the web server is residing in the DMZ in a
workgroup.

Thanks

Rustom


"Jasper Smith" <jasper_smith9@xxxxxxxxxxx> wrote in message
news:OmUak8X7GHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
In SQL2005, the login handshake for a sql login is encrypted by a self
generated certificate so no, it's not transmitted in the clear. Passwords
for sql logins are also subject (or rather they can be) to your domain
policies for expiration and complexity so all in all it's a lot better
that it was previously. The best practice is still Windows authentication
but there's a lot less risk with SQL authentication now.

--
HTH,
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com


"Rustom" <RustomNB@xxxxxxxxxxx> wrote in message
news:ejcYreM7GHA.660@xxxxxxxxxxxxxxxxxxxxxxx
I am running SQL Server 2005 in a Windows Server 2003 domain and utilizing
Windows Authentication. I have a webserver running a Visual Studio
application which resides in the DMZ on a Windows Workgroup. From a
security perspective what is the best practice with regards to how this
application should connect to SQL? I would like this application to use
Windows Authentication, however, I am assuming this is not possible as the
webserver is in the DMZ and not part of the domain. If this application
uses SQL Authentication is the password transmitted in clear text?

Thanks

Rustom





.



Relevant Pages

  • Re: integrated security over vpn
    ... SQL 2000 is using Windows Authentication, and I can access tables, Stored ... > Are you using Windows authentication with SQL Server or SQL Server ... > easy to do on a home machine scenario as I would expect the home machine ...
    (microsoft.public.dotnet.security)
  • Re: Q: Named pipes and Windows (integrated) authentication
    ... >By the way, if you don't have SQL Enterprise Manager, there's an MSDE ... >>>his windows authentication to connect to the server. ... >>>Creating databases is only acomplished after you've already connected. ...
    (microsoft.public.sqlserver.connect)
  • Re: Q: Named pipes and Windows (integrated) authentication
    ... SQL Tools - he's referring to SQL Query Analyzer and SQL Enterprise Manager ... If you don't have a full copy of SQL Server 2K you're not ... but you'll replace the Domain with the Workgroup name. ... >>his windows authentication to connect to the server. ...
    (microsoft.public.sqlserver.connect)
  • RE: MELL and SQL
    ... At this point I'm logged in as admin and since ... have the necessary permissions for the installation. ... > Most third party apps don't use Windows Authentication, they use SQL ...
    (microsoft.public.windows.server.sbs)
  • Re: SQL Server Authentication
    ... I'm sorry to hear you are having some troubles with SQL authentication. ... can I would love to persuade you to use Windows authentication if at all ... > With VSTO using Visual Studio 2005, has anyone manage to use SQL Server ...
    (microsoft.public.vsnet.vstools.office)