Setting up integrated security to SQL Server

[Dave]

Hi,

I've read quite a few places where it recommends you use
integrated security in your connection string to SQL
Server

I tried this in test page to connect to the Northwind
database by setting my connection string to:

"data source=<mymachinename>;initial
catalog=Northwind;integrated security=SSPI;"

It worked as long as I added ASPNET, the account used for
running ASP.NET Worker processes, as a SQL Server Login
with access to Northwind.

My question is shouldn't each web application on the
server have it's own ASPNET-type account so it only has
accesses the databases it needs?

For example, can I setup the following?

ASPNET_Northwind (This account can only access the
Northwind site and the Northwind database)

ASPNET_Pubs ((This account can only access the Pubs site
and the Pubs database)

Otherwise if all sites use the same ASPNET account, they
can make queries to other databases.

how do I do this?

Thanks, Dave.

 

[S. Justin Gengo]

Dave,

In IIS you can tell a web site to run using a network username and password.

In Interenet Information Services, right click the web site and open the
properties window for it.

Go to the Directory Security Tab and then click the Edit button in the
Anonymous access and authentication area.

In the Anonymous Access area make sure that Anonymous access is checked.

Please not the text in this area: "Account used for anonymous access:" Click
the Browse button and select the account you would like this web site to run
as.

(You should uncheck the Allow IIS to control password checkbox and provide
the password for the account.)

Now give this account access to the correct SQL database.

Sincerely,


--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche