Passing IIS Anonymous Account to SQL Server

Discussion in 'ASP .Net' started by Matt F, May 3, 2004.

  1. Matt F

    Matt F Guest

    Hi all

    I was hoping some one could clear up an ASP.Net security question I
    have.

    I am writing an ASP.NET application that connects to SQL Server. The
    security setup (connection string and IIS) will vary depending on the
    client who installs it. Some clients will undoubtedly wish to have IIS
    and SQL Server on separate machines, with Anonymous authentication in
    IIS, and a SQL Server connection string using Windows integrated
    security.

    I've found that, if I'm using windows integrated security in the
    database connection string, and Anonymous authentication at IIS with an
    appropriate account specified, the authentication doesn't get passed
    through to the remote SQL Server. I'm using Forms authentication in the
    ASP.NET app, with impersonation turned on. To get the app to work with
    the SQL Server instance on another machine using the configuration
    above, I've found I've had to specify a username and password in the
    'identity' element where impersonation is turned on. I'm not a big fan
    of this as the credentials are in clear text. With old ASP, the account
    being used for IIS Anonymous authentication was used, but this seems to
    no longer be the case. I know I could probably change the account in
    machine.config, but this is also not acceptable given the app will be
    sold pre-packaged.

    Does anyone have any suggestions? Am I missing something simple??

    Thanks

    Matt


    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Matt F, May 3, 2004
    #1
    1. Advertising

  2. Matt F

    avnrao Guest

    I am not clear enough about making your app imerpsonation enabled.. is it
    becuase SQL server needs to know the logged in client to give object based
    permissions?

    if you dont need impersonation, there are different ways to connect to sql
    server (as almost all you mentioned). but the best way would be to create a
    windows login for this purpose. give minimum permissions to this login on
    the sql box. configure this account as ASP.Net identity (deafult is ASPNET).

    hth,
    Av.

    "Matt F" <> wrote in message
    news:...
    > Hi all
    >
    > I was hoping some one could clear up an ASP.Net security question I
    > have.
    >
    > I am writing an ASP.NET application that connects to SQL Server. The
    > security setup (connection string and IIS) will vary depending on the
    > client who installs it. Some clients will undoubtedly wish to have IIS
    > and SQL Server on separate machines, with Anonymous authentication in
    > IIS, and a SQL Server connection string using Windows integrated
    > security.
    >
    > I've found that, if I'm using windows integrated security in the
    > database connection string, and Anonymous authentication at IIS with an
    > appropriate account specified, the authentication doesn't get passed
    > through to the remote SQL Server. I'm using Forms authentication in the
    > ASP.NET app, with impersonation turned on. To get the app to work with
    > the SQL Server instance on another machine using the configuration
    > above, I've found I've had to specify a username and password in the
    > 'identity' element where impersonation is turned on. I'm not a big fan
    > of this as the credentials are in clear text. With old ASP, the account
    > being used for IIS Anonymous authentication was used, but this seems to
    > no longer be the case. I know I could probably change the account in
    > machine.config, but this is also not acceptable given the app will be
    > sold pre-packaged.
    >
    > Does anyone have any suggestions? Am I missing something simple??
    >
    > Thanks
    >
    > Matt
    >
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    avnrao, May 3, 2004
    #2
    1. Advertising

  3. Matt F

    Matt F Guest

    Hi

    Thanks for your reply.

    The client(s) will be setting this web application up and running it
    themselves. I was therefore using impersonation (without a specific
    login) in an attempt to allow them to configure IIS security how they
    wish, and for the ASP.NET app to use whatever IIS is using. This also
    may indeed include permissions on SQL Server. It all depends on how the
    client wishes to configure their security.

    If I got the client to change the ASP.NET identity, won't this affect
    any other ASP.NET apps on their server?

    Cheers

    Matt



    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Matt F, May 4, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yurps
    Replies:
    1
    Views:
    388
    yurps
    May 11, 2005
  2. Reporter
    Replies:
    3
    Views:
    485
    Mike Schilling
    May 12, 2007
  3. cowznofsky

    IIS account used for anonymous access

    cowznofsky, Jul 1, 2009, in forum: ASP .Net
    Replies:
    1
    Views:
    412
    Andrew Morton
    Jul 2, 2009
  4. Replies:
    4
    Views:
    658
    Paul Clement
    Sep 15, 2005
  5. Replies:
    1
    Views:
    227
Loading...

Share This Page