how to hash impersonated password

Discussion in 'ASP .Net' started by Mark, Feb 6, 2004.

  1. Mark

    Mark Guest

    We're going to use impersonation in our web.config file to connect via
    windows authentication to a SQL Server on the same domain. We'd like to
    hash the password rather than store it in plain text in the web.config file
    ..... suggestions?

    <identity impersonate="true" userName="mydomain\myuser" password="mypass"/>

    Thanks in advance!

    Mark
     
    Mark, Feb 6, 2004
    #1
    1. Advertising

  2. Mark

    Mark Guest

    We're on a windows network - we'd like to leverage windows authentication.
    We don't have SQL Server authentication turned on at all.

    I'm happy to store the hashed/encrypted password some where else, but would
    appreciate a bit of guidence on a best practice to follow.

    Thanks in advance.

    Mark

    "Adrijan Josic" <> wrote in message
    news:...
    > There's no logic in having it hashed in the web.config. If ASP.NET could

    login with a hashed password, so could everyone else hence someone could get
    the hash from your web.config file and use it to login just as he would with
    the original password.
    >
    > Why not you use standard SQL identification and store your password

    somewhere else, perhaps encrypted(not hashed)?
    >
    > You could probably also deny read/write permission on web.config to

    everyone except the neccessary system processes I guess...
    >
    >
    >
    > ----- Mark wrote: -----
    >
    > We're going to use impersonation in our web.config file to connect

    via
    > windows authentication to a SQL Server on the same domain. We'd like

    to
    > hash the password rather than store it in plain text in the

    web.config file
    > ..... suggestions?
    >
    > <identity impersonate="true" userName="mydomain\myuser"

    password="mypass"/>
    >
    > Thanks in advance!
    >
    > Mark
    >
    >
    >
     
    Mark, Feb 6, 2004
    #2
    1. Advertising

  3. Mark

    bruce barker Guest

    microsoft supplies no secure way to do this. the best you can do is encrypt
    the password and store where your like (note: all web sites on the server
    will have access to it, if they know where). then your code will have to
    impersonate the account before making any calls that require it. due asp.net
    to thread agility (threads may switch during page processing), you can not
    just do it once at the start of page processing.

    -- bruce (sqlwork.com)



    "Mark" <> wrote in message
    news:...
    > We're going to use impersonation in our web.config file to connect via
    > windows authentication to a SQL Server on the same domain. We'd like to
    > hash the password rather than store it in plain text in the web.config

    file
    > .... suggestions?
    >
    > <identity impersonate="true" userName="mydomain\myuser"

    password="mypass"/>
    >
    > Thanks in advance!
    >
    > Mark
    >
    >
     
    bruce barker, Feb 6, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Markus Stehle

    Change impersonated user during runtime

    Markus Stehle, Aug 16, 2003, in forum: ASP .Net
    Replies:
    5
    Views:
    676
    Ken Cox [Microsoft MVP]
    Aug 20, 2003
  2. =?Utf-8?B?Um9iZXJ0IERyb3pkeg==?=

    HKCU Registry Hive & ASP.NET impersonated application

    =?Utf-8?B?Um9iZXJ0IERyb3pkeg==?=, Jul 29, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    537
    Nicole Calinoiu
    Jul 29, 2004
  3. AAaron123
    Replies:
    2
    Views:
    2,202
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,357
    Oriane
    Jan 16, 2009
  5. rp
    Replies:
    1
    Views:
    540
    red floyd
    Nov 10, 2011
Loading...

Share This Page