Re: Transmission of Username & Password?
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 27 Sep 2007 11:34:26 -0500
MaxGruven wrote:
Is the Username and Password specified in the Connection String of an
ASP.NET
application transmitted to an SQL Server 2005 send as clear text from the
IIS
Server?
The reason I asked is our IT department has mandated that all
username/passwords be encrypted when sent from one server to another
within
our corporate intranet in case someone is running a sniffer.
If so, what strategy might be employed in order to meet this requirement??
It seems like using Integrated Security in the connection string might
work?
but how can I be sure there is not username/password sent?
An Encrypted Connection (Encrypted=True) seems expensive and requires a
server certificate.
My understanding of Windows Authentication with SQL Server is that the
credentials are not sent to SQL Server, only the token created when Windows
authenticated the user. The token identifies the user and their group
memberships.
When Windows authenticates a user, the password is hashed at the client and
the hash value is sent to Active Directory. The AD database does not save a
cleartext copy of the password, only the one-way hash value. It is this hash
value that the client sends to the Domain Controller for authentication. The
DC returns the token using SSL.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- Prev by Date: Re: Encrypted data in SQL 2005
- Next by Date: Re: Transmission of Username & Password?
- Previous by thread: Re: Encrypted data in SQL 2005
- Next by thread: Re: Transmission of Username & Password?
- Index(es):
Relevant Pages
|
