asp.net sql trusted connections between servers

Discussion in 'ASP .Net Security' started by Rob, Oct 21, 2005.

  1. Rob

    Rob Guest

    So we have a client who doesn't want to run a Service Level Account
    (either via an Application Pool or IIS impersonation) and we need to
    connect to a remote SQL Server instance w/ Read-Write permissions. They
    don't want to do it that way due to the maintenance issues with
    passwords in multiple locations.

    We're using an OLE connection to SQL server and currently have the
    username and password obfuscated (not strong encryption) in the
    connection string in the web.config. Looking for a better alternative.

    We've looked into things such as described here:

    http://idunno.org/dotNet/trustedConnections.aspx

    This is a secured, internal app: Where I'm confused is why the standard
    Windows Authentication setting for access via IIS doesn't seem pass the
    users credentials to the SQL Server (even with impersonate=true in
    web.config). Ideally we just wanted to have read-write windows group and
    add users that way. The connection to SQL with impersonation and Windows
    Authentication remains either IIS or the Application Pool Identity?

    So, two questions:

    1. is this impersonation behavior with IIS and Windows Authentication
    documented anywhere (need to show them via a reliable source this
    doesn't work beyond the fact that its not working)

    2. Short of encrypting the user connection information in the registry
    (also a maintenance hassle) are there any other options?

    many thanks,

    Rob
     
    Rob, Oct 21, 2005
    #1
    1. Advertising

  2. If IIS and SQL are on different boxes and you are using IWA in IIS, then you
    need Kerberos delegation in order for IIS to be able to delegate the user's
    credentials over a second machine hop to the SQL box.

    http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

    Joe K.

    "Rob" <> wrote in message
    news:...
    > So we have a client who doesn't want to run a Service Level Account
    > (either via an Application Pool or IIS impersonation) and we need to
    > connect to a remote SQL Server instance w/ Read-Write permissions. They
    > don't want to do it that way due to the maintenance issues with passwords
    > in multiple locations.
    >
    > We're using an OLE connection to SQL server and currently have the
    > username and password obfuscated (not strong encryption) in the connection
    > string in the web.config. Looking for a better alternative.
    >
    > We've looked into things such as described here:
    >
    > http://idunno.org/dotNet/trustedConnections.aspx
    >
    > This is a secured, internal app: Where I'm confused is why the standard
    > Windows Authentication setting for access via IIS doesn't seem pass the
    > users credentials to the SQL Server (even with impersonate=true in
    > web.config). Ideally we just wanted to have read-write windows group and
    > add users that way. The connection to SQL with impersonation and Windows
    > Authentication remains either IIS or the Application Pool Identity?
    >
    > So, two questions:
    >
    > 1. is this impersonation behavior with IIS and Windows Authentication
    > documented anywhere (need to show them via a reliable source this doesn't
    > work beyond the fact that its not working)
    >
    > 2. Short of encrypting the user connection information in the registry
    > (also a maintenance hassle) are there any other options?
    >
    > many thanks,
    >
    > Rob
     
    Joe Kaplan \(MVP - ADSI\), Oct 23, 2005
    #2
    1. Advertising

  3. Rob

    Rob Guest

    Joe Kaplan (MVP - ADSI) wrote:
    > If IIS and SQL are on different boxes and you are using IWA in IIS, then you
    > need Kerberos delegation in order for IIS to be able to delegate the user's
    > credentials over a second machine hop to the SQL box.
    >
    > http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
    >
    > Joe K.


    That seems to be the consensus. Thanks for the assistance. We'll be
    trying that this week.

    Rob
     
    Rob, Oct 24, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QWRhbSBHZXRjaGVsbA==?=

    Using SQL trusted connections with ASP.NET

    =?Utf-8?B?QWRhbSBHZXRjaGVsbA==?=, Mar 2, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    4,523
    =?Utf-8?B?QWRhbSBHZXRjaGVsbA==?=
    Mar 4, 2005
  2. Rob
    Replies:
    2
    Views:
    702
  3. marek zegarek
    Replies:
    1
    Views:
    338
    Cowboy \(Gregory A. Beamer\)
    Nov 21, 2006
  4. Craig Wagner

    Trusted SQL Connections & NT AUTHORITY\NETWORK SERVICE

    Craig Wagner, Mar 1, 2007, in forum: ASP .Net Security
    Replies:
    3
    Views:
    712
    Joe Kaplan
    Mar 1, 2007
  5. Popezilla
    Replies:
    2
    Views:
    996
    Popezilla
    Mar 18, 2007
Loading...

Share This Page