Passing IIS Anonymous Account to SQL Server

M

Matt F

Hi all

I was hoping some one could clear up an ASP.Net security question I
have.

I am writing an ASP.NET application that connects to SQL Server. The
security setup (connection string and IIS) will vary depending on the
client who installs it. Some clients will undoubtedly wish to have IIS
and SQL Server on separate machines, with Anonymous authentication in
IIS, and a SQL Server connection string using Windows integrated
security.

I've found that, if I'm using windows integrated security in the
database connection string, and Anonymous authentication at IIS with an
appropriate account specified, the authentication doesn't get passed
through to the remote SQL Server. I'm using Forms authentication in the
ASP.NET app, with impersonation turned on. To get the app to work with
the SQL Server instance on another machine using the configuration
above, I've found I've had to specify a username and password in the
'identity' element where impersonation is turned on. I'm not a big fan
of this as the credentials are in clear text. With old ASP, the account
being used for IIS Anonymous authentication was used, but this seems to
no longer be the case. I know I could probably change the account in
machine.config, but this is also not acceptable given the app will be
sold pre-packaged.

Does anyone have any suggestions? Am I missing something simple??

Thanks

Matt
 
A

avnrao

I am not clear enough about making your app imerpsonation enabled.. is it
becuase SQL server needs to know the logged in client to give object based
permissions?

if you dont need impersonation, there are different ways to connect to sql
server (as almost all you mentioned). but the best way would be to create a
windows login for this purpose. give minimum permissions to this login on
the sql box. configure this account as ASP.Net identity (deafult is ASPNET).

hth,
Av.
 
M

Matt F

Hi

Thanks for your reply.

The client(s) will be setting this web application up and running it
themselves. I was therefore using impersonation (without a specific
login) in an attempt to allow them to configure IIS security how they
wish, and for the ASP.NET app to use whatever IIS is using. This also
may indeed include permissions on SQL Server. It all depends on how the
client wishes to configure their security.

If I got the client to change the ASP.NET identity, won't this affect
any other ASP.NET apps on their server?

Cheers

Matt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,832
Latest member
GlennSmall

Latest Threads

Top