Sorry for the long title...
Here is the situation - 2 machines:
IIS 7.5/App server Windows 2008
SQL Server 2008
The SQL Server machine has a local account SpecialUser1. This account is used as login account in SQL Server itself and has full access to the database.
The IIS machine has an identical local account SpecialUser1.
Web application is setup using Windows Authentication + ASP.NET impersonation with that SpecialUser1 defined in identity tag of web.config.
<identity impersonate="true" userName="SpecialUser1" password="SpecialPassword" />
And it's using Integrated Security access to the SQL Server, defined in a connection string:
<connectionStrings>
<add name="ConnectionString1"
connectionString="Data Source=SQLSERVER1;Initial Catalog=DB1;Integrated Security=SSPI;"
providerName="System.Data.SqlClient"/>
</connectionStrings>
Will the web application be able to get access to the SQL Server's database using that impersonated account? Meaning - are these 2 identical accounts mapped to grant access to the database ?
I relied on the information from here: http://msdn.microsoft.com/en-us/library/bsz5788z(v=vs.100).aspx
and here: http://msdn.microsoft.com/en-us/library/aa292114(v=vs.71).aspx
Thanks
I came across your question while researching windows impersonation, which has changed in MVC5. One thing that struck me is if you only have one user for accessing the database then I don't think you really need impersonation. You could just put the username/password in the connection string.
Clearly you might have other things going on that you haven't mentioned that rules this out. However, the simple answers are often the best so I thought I would add this.
PS. Be warned that windows impersonation seems to have changed in MVC5. See this question the asp.net forum for more information. I'm still researching how to do this.
Related
I'm currently working on an intranet portal for my company, it will remain internal, only users with accounts on our domain will have access to it. At the moment, I use forms authentication method, and authenticate users against the Active Directory domain with System.DirectoryServices. I also interrogate the AD with System.DirectoryServices.AccountManagement to manage access rights depending on the Active Directory groups the user belongs to and I store some data in user sessions and everything works fine.
I've been asked to study whether Single Sign-On could be implemented in our context, all our users work in RDS without exceptions, so they always are in an authenticated session and the higher-ups would prefer not having to sign in at all. As far as rewritting the code to authentify and authorize users as explained here and here
I'm not too concerned.
I tried everything on a blank ASP.Net MVC5 project, to which I added an ADO.Net model with integrated security. My dev SQL Server is hosted on a remote server (not the dev desktop), the same server also hosts the dev IIS server. In production, both services will be on separate servers. This worked fine as long as I was debugging localy on my desktop, but once I published to the IIS server, I hit the first snag and couldn't get out of it.
When I changed settings in the IIS app to disable anonymous and enable windows authentication, IIS automatically changed <authentication mode="Forms" /> to <authentication mode="Windows" /> in the web.config file (as suggested here), but I couldn't make it work with Integrated Security=True or Integrated Security=SSPI, I get an error page saying [SqlException (0x80131904): Login failed for user 'DOMAIN\MACHINE$'.].
The connection string reads like: <add name="ASPNetProjectEntities" connectionString="metadata=res://*/Models.ModelASPNetProject.csdl|res://*/Models.ModelASPNetProject.ssdl|res://*/Models.ModelASPNetProject.msl;provider=System.Data.SqlClient;provider connection string="data source=MACHINE;initial catalog=DATABASE;persist security info=True;Integrated Security=SSPI;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
I tried to add the machine account DOMAIN\MACHINE$ to SQL logins and grant it rights to the database, but no dice. I tried to authorize delegation in the server AD account and activate identity impersonation, but that didn't work either. I can only make it work on the remote IIS server if I put a SQL user/pass in the connection string.
So I'm at loss what could be missing here to make it work with Integrated Security. Or will I have to put SQL credentials in the connection string and encrypt it on IIS?
You're confusing Integrated Security with the authentication mechanism of your website. If you use Integrated Security, the connection used from your web app to SQL Server will use the account that the application pool your web app is running as is using. To use Integrated Security, have a service account created in AD, set your app pool to run as that account, and grant the necessary permissions to that service account in SQL Server.
Note that whether you're using forms auth or integrated security isn't relevant to how the web app connects to SQL Server, unless you're using impersonation, which you should never use.
I'm creating something like an Intranet. Users today already access directly SQL Server using Windows Authentication, where security grants are set for each user, but I want to put the ASP.NET Web Server between these users and the database. I want the IIS to pass user's windows authentication credentials (from users accessing the website) to the SQL Sever.
Conditions:
Both the Sql Server and the IIS are in the same domain.
They are in different machines.
I've found this acticle which explains how to do that, but there is a disclaimer saying that SQL and IIS must be in the same machine.
Is there some way to do that given my conditions?
The don't have to be the same machine, just make sure you have set up IIS to use Windows Authentication and also in your connection string connect as the windows user e.g.
<connectionStrings>
<add name="DatabaseConnectionName" connectionString="Data Source=localhost;Initial Catalog=YourDataBaseName;Integrated Security=True;" providerName="System.Data.SqlClient" />
</connectionStrings>
I am using integrated security in an ASP.net application, the IIS and SQL Server are both hosted on the same server machine running Windows Server 2008 R2.
Is it possible to allow users to access the application from across the network AND logged in users but not let them access the database directly or via SQL Server Management Studio?
I am trying to safeguard the database access because my application is going to be deployed on the client's server at client's premises.
Here is my connection string that i am currently using
<add connectionString="Server=.\sqlexpress;Database=DB89akwA;Integrated Security=true" name="LocalSqlServer" providerName="System.Data.SqlClient" />
<add connectionString="Server=.\sqlexpress;Database=DB89akwA;Integrated Security=true" name="MainAppConnectionString" providerName="System.Data.SqlClient" />
These are the two connection strings i am currently using, one is for ASP.net Authentication and second is used by my application. These both strings are the same and of the same database.
Any suggestions?
It is not possible to 'secure' a database running on client's premises. The client's staff can get the password from the ASP.Net connection string. A domain administrator can always gain access to the database (there is an actual MSDN article describing the process: Connect to SQL Server When System Administrators Are Locked Out).
If you want to hide the Intelectual Property you feel your database has, then your only solution is to not deploy the database on the client premise (use a hosted database like SQL Azure for instance).
If you simply want to prevent the client from interfering with the database you can stipulate so in the contract. Auditing and detecting interference is possible.
Yes, that is completely possible. A Person logged in to ASP.NET using integrated security can not log in to SQL Server with the same credentials. Both are completely disconnected. It is only possible if the SQL Server has been set to allow them access.
My Piece of advice would be to create SQL Login and users, and only give them access to SQL Server. In your application, when you create the Connection String, do not set integrated security to true, and just let the user enter his Sql username and password to access the database.
I have been building my web application with visual studio and sql server express and now I'm in the process of deploying it on a server. I need to change the connection string
This is what I have:
<add name="MySiteDBConnectionString"
connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\MySiteDB.mdf;Integrated Security=True;User Instance=True"
providerName="System.Data.SqlClient" />
This is what I need to replace it with:
<add name="LocalSqlServer"
connectionString="Data Source=DBServerName;Integrated Security=false;Initial Catalog=DBName;User ID=DBLogin;Password=DBPassword"
providerName="System.Data.SqlClient" />
The problem is that I don't know where or even if I set up a password for the database. What is integrated security?
I'm using linq-to-sql, do I also need to make some changes in the dbml file?
Thanks for some suggestions.
If you are not using Intergrated Security you will need to set up a user and password on the database server itself. If you are using shared hosting it is possible this will be provided for you. You can then replace DBLogin and DBPassword with your credentials.
Intergrated security uses your windows login/password details to authenticate against the database.
With your linq to sql if you are not passing in a connection string yourself you will need to use the designer to change the connection to the new database (or just overwrite the one in your config file).
Integrated security means that it will use credentials that the web site (app pool) is running under to access the database. You'd need to have SQL server set up to allow this account access to read/write your tables in order for this to work. If your web site is set up to run under the anonymous network account, then it's unlikely that this would be the case. If your web site runs under a domain account, then it's possible that you would need to use integrated security.
If you're not using integrated security, then your DB admin will have set up a SQL login for your application. This is the id/password that you need to use in your connection string. It's possible that multiple accounts have been set up, an admin account, a read/write account, a read-only account, execute SP account (these describe the permissions assigned to the account, not necessarily their names). In that case choose the appropriate one -- it's almost certainly not the admin account unless your DBAs know nothing about security.
FYI, if you use the User ID=...;Password=... format, you can omit the Integrated Security=false as it will assume a SQL login account and password.
'Integrated Security' mode is what was formerly called 'Use Trusted Connection': it uses the credentials of the currently logged on Windows user (in this case, most likely the IUSR_xxx account the web application is running as, or sometimes the computer account) as its login credentials.
I'm using Visual Studio 2008, MS SQL server 2008 Express
SQL server: zeroonea\SQL2008EXPRESS
i'm create a webproject, made a dbtest.mdf in App_Data, made some tables, use aspnet_regsql to create membership tables in there, everything work fine.
my connection string in web.config:
<connectionStrings>
<add name="dbtestConnectionString" connectionString="Data Source=zeroonea\SQL2008EXPRESS;Initial Catalog=dbtest;Persist Security Info=True;User ID=***;Password=***"
providerName="System.Data.SqlClient" />
</connectionStrings>
It still work when i run web application, the code can connect to sql server
but when i run Web Site Administration Tool, click on Security tab, i throw a error
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may help in diagnosing the problem: Unable to connect to SQL Server database.
Any suggestion?
By default, I don't think SQL Express allows remote connections. You have to turn them on in the Server Networking tool.
http://www.linglom.com/2007/08/31/enable-remote-connection-to-sql-server-2005-express/
Also, as that blog mentions, SQL Express may be configured to only allow "Trusted" connections, and by providing a username and password in your connection string, you're connecting using SQL authentication.
Did you replace the db login and password with *** for the sample? If not, that's probably your problem.
Is this any use?
http://weblogs.asp.net/lhunt/archive/2005/09/26/425966.aspx
The fact it's SQLExpress may be adding an extra complication here.
This answer and other research helped me get this working. I have summarized the steps in detail here http://www.yart.com.au/Resources/Programming/ASP-NET-Security-Doesnt-Work.aspx