Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / ADO.NET / February 2005

Tip: Looking for answers? Try searching our database.

Integrated security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Arne - 28 Feb 2005 17:13 GMT
How do I create trusted security between my web server and my sql server?
I don't know the account and password that my web server is running under.
Reply to this Message
Sahil Malik - 28 Feb 2005 18:17 GMT
The instructions for IIS 6 and 5 are vastly different. I'll just assume
you're using IIS 6 (partly because I'm hella lazy), and give you the
instructions for only those. If you are using IIS 5, lemme know and I'll
give you those instructions instead.

So in Win2k3, IIS 6, you have this ulta new hall cool thing called
"Application Pools". In IIS manager under control panel -> Administrative
Tools -> IIS Manager, you can simply create a new application pool,
configure it to use a particular username password that has access to the
SQL Server, and then go to the virtual directory/website, and in it's
properties instruct it to use that particular application pool.

Thats it, you got integrated security on ASP.NET now .. isn't that COOL? :)

Obviously there are other ways to acheive this, but I like this method the
mostest :)

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/

> How do I create trusted security between my web server and my sql server?
> I don't know the account and password that my web server is running under.
Reply to this Message
Arne - 28 Feb 2005 18:43 GMT
Sahil,
Thanks for the information, but it leaves a lot of questions unanswered.
If I create a new NT account that matches my sql login, what kind of NT
privileges do I have to give to it?
I use IIS 5.0 and IIS 5.1 most of the time.

Arne.

> The instructions for IIS 6 and 5 are vastly different. I'll just assume
> you're using IIS 6 (partly because I'm hella lazy), and give you the
[quoted text clipped - 18 lines]
> > How do I create trusted security between my web server and my sql server?
> > I don't know the account and password that my web server is running under.
Reply to this Message
Sahil Malik - 28 Feb 2005 19:33 GMT
Arne,

The permissions ASPNET or it's equivalent will need to run properly on a
windows 2000/IIS 5 box, are detailed here.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/pro
ddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise
/proddocs/en-us/aaconaspnetrequiredaccesscontrollistsacls.asp

You are on the right path in your thinking about creating a matching
username/password on both machines. On the SQL Server it has access to the
DB, and on the web server this user has access to as per the definied in the
link above.

Once you're done with this setup, you have two options - which essentially
substitute for the Application pool setup we did for IIS6.

You can put that in your web.config as --
<system.web>
 <authorization>
   <identity impersonate="true" userName="yourNewUsername"
password="yourStrongPassword" />
 </authorization>
</system.web>

Or, you can let IIS impersonate those details in two steps (better way)
Step #1 -- In the properties for your website/virtual dir, go to Directory
Security and click the edit button beside Anonymous access and
authentication control configure the new username and password over there.
Step #2 - Let IIS provide those impersonation details via a trusted
connection by editing your web.config as follows -
<system.web>
 <authorization>
   <identity impersonate="true" />
   </authorization>
</system.web>

A YET another way is to edit the machine.config file and put the pasword in
there to edit the default context. This would be at
<processmode .. userName="ASPNET" password ="YourNewFunkyPassword"/>
This is obviously global and a bit less secure.

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/

> Sahil,
> Thanks for the information, but it leaves a lot of questions unanswered.
[quoted text clipped - 27 lines]
> > > How do I create trusted security between my web server and my sql server?
> > > I don't know the account and password that my web server is running under.
Reply to this Message
Sahil Malik - 28 Feb 2005 19:35 GMT
BTW, I don't claim to be an ASP.NET expert :), but I have to add that you
might be able to get AWESOME help in the aspnet newsgroup too .. but hey not
like I don't wanna help .. :), so please do ask away. I might learn
somethin' new if nothin' else.

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/

> Sahil,
> Thanks for the information, but it leaves a lot of questions unanswered.
[quoted text clipped - 27 lines]
> > > How do I create trusted security between my web server and my sql server?
> > > I don't know the account and password that my web server is running under.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.