Is it possible to pass Windows domain credentials (users) from their browser directly to MSSQL for database authentication?
Still learning ASP.NET and EF, but I have a working webapp that uses a static DB connection string in my webconfig. I'm using Windows Authentication via IIS to control access to the website, but I need to support read/write permissions in the database, per user.
It would be great if I could just use AD and assign permissions directly in SQL server, instead of having to maintain my own user table and permissions/roles.
It is possible with impersonation. You can configure it to pass the same credentials from the IIS to SQL Server, however, if SQL server is physically in another server, you might need to give some permissions to users. I have done this years ago, but couldn't do it again recently.
Related
I have two servers, let's say they are APPSVR (ASP.NET) and DBSVR (SQL Server). Currently, the application running smoothly with database connection using SQL Server authentication with User Id and Password.
In the future, it must be changed with Windows Authentication Integrated Security=True. I have tried to change this but can't worked (DB connection failure).
We have domain controller also and both server in the same domain. I am not sure which one that must be configured in our environment (Domain/SQL Server/IIS Manager). What's the right procedure to do this?
Is your asp.net application already running with domain user authentication?
Do you need per user login for SQL server because you set up the
access right on domain user rather than create your own access right
system on your asp.net application?
Why i am asking you this? Because You need to consider the differences between web application and desktop application. In web application, the web server contact the sql server not the user pc.
So this complicate the setup if you want the web server to use the windows authentication to login to sql server then you need to set up the web server to somehow masquerade as the domain users. You also need to consider the scenario if user are accessing the web application from the internet.
I suggest using strong application only password for sql server connection using local user rather than domain Users. For access right you can simply create a new table to store domain user login id and their access right. This set up still allow login to web application using the domain Users but the database connection is not. The Advantage is you can minimize the access to simply few or even one user application only user you need to maintain in sql server rather than every domain Users that need to be registered on sql server if you use windows authentication.
If you still need the Windows Authentication set up than you can see the info here.
We recently had to change over to using Windows Auth instead of a SQL Account to access the DB from our ASP site. The trick is to have the application pool start up with the same domain account you use to access the SQL Server and then you can just change your connection string to use Integrated Security.
The process is shown here:
https://thycotic.force.com/support/s/article/Using-Windows-Authentication-to-access-SQL-Server-Secret-Server
We have an internal asp.net web application which has ASP.NET authentication and Windows Authentication enabled so that users can be logged in as soon as they connect to the website using their domain credentials (this is a requirement that we cannot change).
We are currently looking to upgrade our SQL database and understand that SQL Authentication is less secure than integrated security (e.g. https://msdn.microsoft.com/en-us/library/bb669066(v=vs.110).aspx). Currently we use SQL Authentication.
We could easily change the connection string to run using integrated security, however IIS presents the user as the domain user connected to the website (e.g. domain\greg) instead of the service (domain\WebsiteServiceUser), because IIS impersonates the user. This impersonation is needed to access their Exchange Mailbox, files and other things.
If we were to go down this path, we would have to add logons for every user (using AD groups) to SQL Server. This is possible, but in itself presents a new security issue - users would be able to create a SQL connection outside of our web application and run whatever queries they like against the database. All of our authorization could be bypassed.
Is there a way to connect to SQL using Integrated Authentication using the user that the AppPool runs as (Domain\WebsiteServiceUser) instead of connecting as the currently logged on user (Domain\Greg)?
I have installed a new web application that access a SQL Server database in a different server. I'm using Windows Authentication and get the error of:
Login Failed for user XXX
When I try to set identity impersonate="true" in the web.config file, it just throws an error
Login Failed for anonymous user
Also, I'm using forms authentication to validate users from my website and using a different application pool.
Update: connection string Basically like this:
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
Update:
My Virtual Directory has Anonymous Authentication and Windows Authentication enabled.
Typically ASP.NET runs as an anonomous account. In order to access a remote SQL Server using integrated authentication (SSPI), you'll need to have a bit more "permenant" presence. Easy way would be to shift the app pool to use the NETWORK SERVICE built-in account. Slightly trickier would be to use a named account. On the SQL server side of the equation you will need to give the same account -- either matching user/pass or NETWORK SERVICE -- proper permissions to your database.
Your DBA should be able to help.
It is difficult to provide you with an exact answer because you have not provided your connection string or info on your SQL Server config. Your best bet is to look at the IIS configuration and work out what user is attempting to access the different SQL Server. You then need to give this account access to the database. This is a common problem and most of the changes need to happen in SQL Server unless you can change the account that the web server is running under.
What's the preferred (best practice) means of connecting an ASP.Net Website to a database? I doubt it's as simple as using Trusted-Connection and giving the NT-Authority accounts access.
What do y'all do? Assuming a clean install of SQL Server (2008), what do you do to configure access to the database for a website?
I usually run ASP.NET app pool as a separate account (not NT AUTHORITY\NETWORK SERVICE) and use Windows authentication to access the SQL Server. This method has the advantage of not storing the password in config files.
Steps:
Create a user account to run your ASP.NET application on.
Create an application pool in IIS and run it on the created account.
Assign NTFS permissions that your application needs to the account.
Grant permission to login on SQL Server.
Assign the appropriate database roles to the created login.
This will work for many apps. For more complex security environments, you might need more sophisticated strategies.
I used to use trusted connections, but ended up feeling that that sometimes I ended up having to grant too many privileges to the service account used for the connection/app pool. Now I use SQL Server accounts and set up the application to encrypt the connection strings during Application_Start if they aren't already encrypted. In fact I encrypt any section that may contain user credentials. I use an appSetting to determine whether the encryption code runs so I don't encrypt my settings in the development environment.
I also use SQL Server accounts, just find it simpler to do and to troubleshoot.
Best practice says to keep my web app and database on separate machines, but when doing that it seems I can't get a clear explanation on how best to make this connection. Whil windows auth is the recommended authentication, I don't see how to make a trusted connection . Must I use impersonation to have my application connect to a db server?
Are most people simply using SQL authentication in this case?
Both machines are on a virtual cloud network.
If both computers are in the same domain, I'd use Windows Authentication for the SQL connection. To set it up:
Create a domain account to use for the app.
Give the id the absolute minimum priveleges necessary to host the site on the web server. For example, it must have read access to the web site itself, write access only to folders updated by the web site, etc.
Change IIS so that the domain account is used to run the app. In IIS6 & IIS7, you do this through the application pool. In IIS5, you have to change the settings in the machine.config or in the web.config for the ProcessModel.
All calls to the database will be done through this domain account; you won't have to setup impersonation. In fact, if you are using SQL authentication today, the only change you need to make is to the database connection string; no code changes are needed.