Subject: Transmission of Username & Password?

[MaxGruven]

Is the Username and Password specified in the Connection String of an ASP.NET
application transmitted to an SQL Server 2005 sent as clear text from the IIS
Server?

The reason I ask is our IT department has mandated that all
username/passwords be encrypted when sent from one server to another within
our corporate intranet in case someone is running a sniffer.

If so, what strategy might be employed in order to meet this requirement??

It seems like using Integrated Security in the connection string might work…
but how can I be sure the username/password is not sent and if so, in the
clear?

An Encrypted Connection (Encrypted=True) seems expensive and requires a
server certificate be installed on the SQL Server.

TIA,
G

Cross Posted:
microsoft.public.sqlserver.security

 

[MaxGruven]

OK, over in the SQL Security newsgroup there is confirmation that the
credentials are not sent to SQL Server in clear test from ASP.NET/IIS just a
token using SSL.

So now my question is: The users of this ASP.NET Web App are authenticated
using Windows Authentication. Therefore their credentials are passed from
their desktop computer from IE to IIS.

In this case, is it true that the process uses their credentials to access
local resources and the SQL Server? Doesn't that mean one ASP.NET process
per user??

Would it make sense to impersonate a domain user by setting impersonate =
true in web.config and user/password to a special account that has access
enabled to the database and local resources? E.g. the Virtual Directory.

Another approach might be to have all the users in a Domain group that has
access to local resources and the SQL Server database.

Comments on these approaches or another that might be more elegant?

TIA,
G