[ Team LiB ]Recipe 1.8 Connecting to SQL Server Using Integrated Security from ASP.NET Problem You want to coordinate Windows security accounts between an ASP.NET application and SQL Se
Trang 1[ Team LiB ]
Recipe 1.8 Connecting to SQL Server Using Integrated Security from ASP.NET Problem
You want to coordinate Windows security accounts between an ASP.NET application and SQL Server
Solution
Connect to SQL Server from ASP.NET using Windows Authentication in SQL Server
Discussion
Connecting to a SQL Server database provides two different authentication modes:
Windows Authentication
Uses the current security identity from the Windows NT or Windows 2000 user account to provide authentication information It does not expose the user ID and password and is the recommended method for authenticating a connection
SQL Server Authentication
Uses a SQL Server login account providing a user ID and password
Integrated security requires that the SQL Server is running on the same computer as IIS and that all application users are on the same domain so that their credentials are
available to IIS The following areas of the application need to be configured:
• Configure the ASP.NET application so that Integrated Windows Authentication is enabled and Anonymous Access is disabled
• The web.config file establishes the authentication mode that the application uses
and that the application will run as or impersonate the user Add the following
elements to the web.config file:
• <authentication mode="Windows" />
<identity impersonate="true" />
• The connection string must contain attributes that tell the SQL Server that
integrated security is used Use the Integrated Security=SSPI attribute-and-value pair instead of the User ID and Password attributes in the connection string The
Trang 2older attribute-and-value pair Trusted_Connection=Yes is also supported
• Add users and groups from the domain and set their access permissions as
required
By default, ASP.NET applications run in the context of a local user ASPNET on IIS The account has limited permissions and is local to the IIS computer and therefore not
recognized as a user on remote computers To overcome this limitation when SQL Server
is not on the same computer as IIS, run the web application in the context of a domain user recognized on both IIS and SQL Server computers
In addition to the areas identified where IIS and SQL Server are on the same computer, the following additional items must be configured if the SQL Server is on a different computer:
• Ensure that the mapped domain user has required privileges to run the web
application
• Configure the web application to impersonate the domain user Add the following
elements to the web.config file for the web application:
• <authentication mode="Windows" />
• <identity impersonate="true" userName="domain\username"
password="myPassword" />
[ Team LiB ]