Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / June 2004

Tip: Looking for answers? Try searching our database.

SQL Connectivity by Web App

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
<M>ike - 21 Jun 2004 17:01 GMT
Hi,

To start with, i'm not too sure if this is the right group to be posting in
so please let me know if these is a more suitable one.

I am trying to get my head around the mechanics behind .NET web applications
accessing SQL databases located on another pc. My current scenario is that
both PC's (IIS5 and SQL2000) are on the same domain but are physically
different. I wish to retrieve data from the database to include in the
asp.net application. As far as I can see I have two options when building
the connection:

a) pass credentials in a connection string;
b) change the impersonated user to a domain account with sql priivaleges.

I notice that the SQL box is set to use windows authentication. Does this
make a difference?

What I am looking for is are links to resources discussing the matter to
determine which method is best, if the are other methods and how to set up
the solution.

Any help would be appreciated.

Regards,

<M>ike
Reply to this Message
Alek Davis - 21 Jun 2004 17:56 GMT
Mike,

The most common approach to this common problem is to specify SQL
credentials in the connection string. The downside here is that you need to
protect the connection string at storage, which is a challenge, but unless
you have certain specific conditions, you do not have many alternatives. If
you want to propagate user's credentials to SQL server, you have to enable
delegation at the AD domain level, which is not a good idea from security
perspective. And what is worse, your app will not be able to use connection
pooling, so the scalability goes down he drain. If you want to connect to
SQL Server using credentials of the IIS worker process, you either need to
run the IIS process as a domain user or set them identically on both the SQL
serve and Web server using a local account (with the same password). I don't
think that either of these options is good, because if you do this (for one,
any application running under your Web site will be able to connect to SQL
server with privileged rights). The bottom line here is that you will
introduce more problems than you solve. Just go with the SQL credentials in
the connection string. From my experience, this is what most enterprise apps
do.

Alek

> Hi,
>
[quoted text clipped - 23 lines]
>
> <M>ike
Reply to this Message
<M>ike - 22 Jun 2004 10:42 GMT
Thanks AleK,

That certainly sounds good and reinforces what I was thinking. I think I
will try to save the credentials in the Web.config file as AppSetting keys
so they are not saved in each page and should be more secure.

Cheers,

<M>ike

> Mike,
>
[quoted text clipped - 47 lines]
> >
> > <M>ike
Reply to this Message
Alek Davis - 22 Jun 2004 16:57 GMT
Just make sure that the credentials are encrypted.

Alek

> Thanks AleK,
>
[quoted text clipped - 70 lines]
> > >
> > > <M>ike
Reply to this Message
<M>ike - 23 Jun 2004 11:50 GMT
Any top tips on how to encrypt these credentials. I guess the details are
decrypted by a function in a class within the project every time they are
needed?

<M>ike

> Just make sure that the credentials are encrypted.
>
[quoted text clipped - 83 lines]
> > > >
> > > > <M>ike
Reply to this Message
Maras - 23 Jun 2004 15:55 GMT
> Any top tips on how to encrypt these credentials. I guess the details are
> decrypted by a function in a class within the project every time they are
> needed?

Read about aspnet_setreg tool.

Signature

Best regards
Maras

Reply to this Message
Alek Davis - 23 Jun 2004 17:02 GMT
This is a tough problem to solve and depending on your environment some
approaches may be worse than others. Check the "Protect It: Safeguard
Database Connection Strings and Other Sensitive Settings in Your Code"
article at http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/,
it addresses this topic.

Alek

> Any top tips on how to encrypt these credentials. I guess the details are
> decrypted by a function in a class within the project every time they are
[quoted text clipped - 101 lines]
> > > > >
> > > > > <M>ike
Reply to this Message
<M>ike - 22 Jun 2004 10:53 GMT
Top Tip:

I've also noticed that if you're using passed credentials to connect to the
SQL box  it helps if the server is set to accept both SQL Server and Windows
authentication, otherwise you kep getting (and getting and getting) the good
old 'Not a Trusted Connection' error message.

<M>ike
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.