If I have an application (on C#) that runs under a user context (ex. DOMAIN\StandardUser) which makes a call to a Web Service, which has the web service worker process running under a different context (ex. DOMAIN\WebServiceUser), and that web service connects to a SQL database, which user context does the database connect from, the StandardUser or the WebServiceUser?
Thanks,
use integrated security, so your user context will also use for web service.
Related
I am working on application whose details are as follows:
Its 3 tier architecture. Web Tier (ASP.Net MVC) -- Service Tier (ASP.Net WebApi 2) -- Database Tier(MS SQL 2014).
Application will also have native mobile apps as clients which will consume Service tier.
Service Tier (Web API) uses individual username/password in conjunction with OAuth for authentication and authorization.
User details are stored using ASP. Net Identity system. ASP. Net Identity database tables are in same database as that of application database.
There will be no direct calls from clients i.e. web or mobile apps to database and every request has to go via service layer.
Users of web client and mobile apps will be authenticated against asp.net identity database which is part of application database.
I have partially implemented above architecture however facing one challenge i.e. once user is authenticated, OAuth token will be issued from service layer which will be valid for one day. But how and where should I securely store this token in Web Client (ASP.Net MVC app) so that user needs to login only once in day and not for every single request that it makes.
One option I can think of is once user is authenticated and token is received in web client then store it in in-memory session storage and use it for further requests. However down side of this is, it will reduce scalability of application and will require sticky sessions in load balanced environment.
Is there any better way I can handle this situation? Also want to validate above architecture if its correct architecture?
So there are actually two web services involved,
1) SP 2013 executing a web service which reaches out to data from a SQL Server DB
2) ASP.Net page executing a web service that reaches out to data from SP2013 (like items in a list).
1 seems feasible I think because SP2013 authenticates users at the AD level and the service would execute as the user. If the DB allows read access to all there should be no issue, right?
2 I'm not sure about. Would the service be executed as something like "ASPNET USER" or "NETWORK SERVICE" or something that's not the user account? Meaning the service would get access denied because "ASPNET USER" doesn't have access to the SP site/etc.
Yes, you can consume data from SharePoint 2013 in your ASP.Net application or in any other platform. But instead of creating a new web service to make it (avoid querying the SharePoint SQL Server database directly), you could use the native SharePoint web services.
To consume data in lists, libraries, etc from your portal you can use the lists.asmx web service with the GetListItems method.
When you call the GetListItems method, you can identify the user credentials:
myListsService.Credentials = new System.Net.NetworkCredential("user",
"password",
"domain");
See this link: http://msdn.microsoft.com/en-us/library/lists.lists.getlistitems(v=office.12).aspx
How to return List Items: http://msdn.microsoft.com/en-us/library/office/ms429658(v=office.14).aspx
I have VSTO application that needs to access a SQL server database but it cannot do it directly. I have thought of two ways to perform this task, but I don't know if those are the best ones :
Creating a "fake" aspx that will be accessed from the VSTO and that will call the SQL server database
Hosting a web service on my distant server. This web service will be accessed from the VSTO and will call the SQL server database
Your second option is the way to go. Create a WCF service, and have this access the SQL Server in a trusted environment. You can protect the service with Windows Authentication, or otherwise pass a user name/password or session key with every call.
I've got an ASP.NET (.NET 4.0) application that uses Windows Forms Authentication. This authenticates against Active Directory and works just fine.
This web app calls an ASP.NET Web Service(.NET 4.0) on the same server. Both the app and the service are running on IIS 6.
The web service calls a SQL Server 2005 database in the same domain using "Integrated Security=SSPI" as part of the connection string.
I want the web service and the database connection to use the credentials of the logged in user of the web app.
I've tried dozens of combination of settings from dozens of web sites, but nothing has worked. I'm on my second day and haven't gotten anywhere.
Is this even possible?
In my latest attempt, I added this code in the web app before calling the web service:
svc.Credentials = System.Net.CredentialCache.DefaultCredentials;
But inside the service, User.Identity.Name returns the value of the user who started the web server.
What you're trying to do is called "delegation". It means that the end-user is authenticated with the web server, and then the web server tries to use those credentials to gain access to the SQL Server. But the SQL Sever does not trust the web server, it only trusts the domain controller. So the request fails.
Besides not working, delegation has another disadvantage. Because each user would use different credentials, SQL connections would no longer be pooled. Each credential would have its own pool. That would be a major resource hog even at low user counts.
For more information, check out this MSDN article.
TL;DR: Give up on delegation and move to SQL auth.
I have an application developed in ASP.NET MVC using Entity Framework / Sql Server 2008
Actually, connections to the database are made with the "sa" account.
Is it possible to use, instead of "sa" the windows final user credentials ?
This would be helpful to control more efficiently the security limitations of each user.
I use, in my application windows authentication.
Thank's !
It is possible but whole your system must run inside windows domain, users must have domain accounts and your system infrastructure must be enabled for Kerberos delegation (belongs to ServerFault). The reason is that you have two hoops in the system - first user authenticates from his client machine to your web server and then web server delegates user credentials to database server. If client computer, web server and database server are different machine Kerberos delegation must be enabled (if db and web runs on the same server you should be fine without Kerberos). Your web application will have to use impersonation and your connection string will have to use windows integrated security.
Also using end user credentials will reduce performance of your system because EF will have to maintain separate connection pool per user. Administrator of SQL server will have to give access for every single user (or user group) using your application.