Alex Chang's WebLog

How to use Trusted Connection when SQL server and web Server are on two separate machines.

Recently, in our consideration to make the production server environment more secure, one of the things we looked into was securing the database connection information between the web server and SQL server.  I received much help from attending DevDays 2004 and also from doing some research on the Internet on this matter.  There are some options when it comes to securing the connection string between a database server and a web server.  I'll just list a few here:

1           Use a trusted connection with integrated authentication.

2          Use the Aspnet_setreg.exe utility to encrypt the connection string and store it in the registry.  You can refer to these two articles for detailed instructions on how to do this:  http://support.microsoft.com/default.aspx?scid=kb;EN-US;329290 and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp

3          Using DPAPI (Data Protection application programming interface) to secure the connection string.  You can refer to these articles: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp and http://www.codeproject.com/system/protected_data.asp 

In this blog, I'll focus more on option 1 - using a trusted connection.  You see, it's very straightforward to configure a trusted connection when the SQL server and web server are on the same machine.  For Windows 2000 Server or XP Pro machines, you just need to make sure the local “ASPNET” account (under which ASP.NET application runs) has appropriate access to the database that your application will be using.  For Windows Server 2003, you need to make sure that the “Network Services” account (or “IIS_WPG” group – of which the “Network Services” is a member) has the appropriate access to the database.  You can follow a step-by-step procedure to configure this here: http://www.asp.net/faq/AspNetAndIIS6.aspx#4 (under the section titled “Supporting integrated authentication with SQL Server”).

The problem arises, however, when the database server and the web server are on two separate machines (assuming they are on the same network).  The issue lies in the fact that the local accounts/credentials (“ASPNET” in Windows 2000 Server and Windows XP Pro., “Network Services” in Windows Server 2003) under which ASP.NET worker process runs are local accounts (local to the web server).  Therefore the database server on a separate machine will not be able to see/recognize these accounts.  So if you try using the same steps mentioned above to configure a trusted connection between the web server and the SQL server, you will most likely see an error message such as “Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.” , when you try to launch your ASP.NET application.

One solution is to set up a domain account with minimal access (the same level of access as the local “ASPNET” or “Network Services” account on the web server) and grant this account the appropriate access to the database on the SQL server that your web application will be accessing.  Then, you can use impersonation to make your ASP.NET application run under the domain account that you just created.  (Does anyone know of a way to set up the trusted connection without impersonation?  I would very much like to know how we can avoid using impersonation and any overhead associated with it.  Some postings mentioned making the local accounts “ASPNET” or “Network Services” on both servers to have the same password, but I don’t think this is a good solution).  Here are some tips/steps on using impersonation for trusted connection with a domain account:

1         When creating the domain account, make sure it has the proper level of access to run ASP.NET applications.  You can refer to this page for a list of directories and the permissions that this domain account must have to them.  For security purposes, don't give this domain account any more permission than you have to.

2         Assign the domain account the necessary permission to the database (you can still follow the instructions at http://www.asp.net/faq/AspNetAndIIS6.aspx#4.  Just make sure you choose the domain account that you just created).

3         In order to turn on impersonation, there are two options:

a.       In the web.config file of your application, add the following line: <identity impersonate="true" userName="domain\user" password="password" />  (put it somewhere between the <system.web></system.web> tags)  However this really defeats the purpose of using the trusted connection to avoid having to include the credential and the password in the connection string.  If you use this method, you will still need to encrypt the credential and the password in order to keep this information safe.

b.      (This is the better method in my opinion)  In the web.config file, add the following: <identity impersonate="true" /> (this time without the user name and password).  Then, from IIS Manager, right click on the virtual directory assigned to your application and select “Properties”.  Click on the “Directory Security” tab, then under “Anonymous access and authentication control” click “Edit”.  If you are going to allow anonymous access to the application (not requiring users to login with windows authentication each time they access this web application), make sure “Anonymous access” checkbox IS checked.  Then uncheck “Allow IIS to control password”.  In the “User Name” field, type in (or you can browse to) the domain account (domain\user) and type in the password for the domain account in the “Password” field (By default IIS uses IUSR_machinename for the anonymous account, you can refer to this page if you would like to find its default password in case you want to change it back later for some reason) .  Then under “Authenticated Access”, make sure NONE of the boxes are checked.  Press “OK” and “OK” to save the settings and exit IIS.

4         Then in web.config you can use either one of these connection strings:

a.       "data source=yourservername;initial catalog=databasename;Integrated Security=SSPI"

b.      "server=yourservername; database=databasename;Trusted_Connection=true"

 

Hopefully, by using the tips and steps above, you should be able to get the trusted connection to work between the SQL server and the web server.

 

I hope this long-winded blog will be helpful to some.  I don’t claim to be an expert in this, so as I mentioned earlier, if anyone has a better solution for configuring the trusted connection, I am all ears.  I really would like to know if there is anyway to use trusted connection without impersonation.

 

Here are also some good references/discussions related to this topic:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskaccessingsqlserverusingmappedwindowsdomainuser.asp

http://weblogs.asp.net/cschittko/archive/2004/03/05/85035.aspx

http://support.microsoft.com/default.aspx?kbid=316989

http://dotnetjunkies.com/Newsgroups/microsoft.public.dotnet.framework.aspnet.security/2004/3/22/75451.aspx

http://dotnetjunkies.com/Newsgroups/microsoft.public.dotnet.framework.aspnet.security/2004/3/22/74067.aspx

http://www.winnetmag.com/Article/ArticleID/9002/9002.html

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp

http://www.kamath.com/tutorials/tut002_iisanon.asp

http://www.microsoft.com/technet/community/columns/insider/iisi0102.mspx#XSLTsection124121120120

 

Update: Frans Bouma mentioned that running web server on a domain may not be according to Microsoft's best practice for security.  Could someone confirm this?  Is there a better way then to configure a trusted connection when IIS and SQL server are on separate machines without the use of impersonation?

Posted: Apr 15 2004, 11:05 AM by AChang | with 22 comment(s)

Comments

Frans Bouma said:

Isn't running the webserver in a domain against MS' best practises for security? I'm pretty sure they say you shouldn't run IIS on a server in a domain.
# April 15, 2004 11:57 AM

Alex Chang said:

Hi, Frans,

I think you are probably right, though I haven't seen a MS reference that talks about this. If you come across it, could you let me know? I posted this blog also as a question to see if anyone knows a better way to configure the trusted connection between two servers (web and database) running on separate machines?. I really don't like having to deal with impersonation. But as far as I can tell, there is really no other way around it. Do you have any suggestions?

Thanks!
# April 15, 2004 4:54 PM

Kent Tegels said:

No, its OK to run IIS in a Domain, but it shouldn't be run on a Domain Controller. Windows Integrated Security would be a bigger joke that it already is otherwise. ;)
# April 22, 2004 10:58 PM

Barry Dorrans said:

Using domain accounts is bad <g> If your web gets compromised, then watch the naughty hacker go walkies through your domain. Of course not everyone has a domain anyway, I use mirrored passwords around all my home machines because adding AD would be painful to say the least!. It also goes against the idea of "minimal permissions everywhere". In plain old ASP, and now in ASP.Net you can mirror accounts, I honestly don't know why you feel these is a good solution.

So, if you want to mirror accounts (or if you must, use a domain account - bad IIS admin, bad!) you're missing a couple of options, you can edit machine.config to force all aspnet processes to run in the specified context (including a pre-defined password for the ASPNET user - so you don't have to go through that painful permissions setup), or you can use IIS6's Application Pools, where you set a security context on a per pool basis, then assign your applications/webs to that pool.

I documented this a while back, and forgot about it, then remembered when I was updating my stylesheets, so http://idunno.org/dotnet/trustedConnections.aspx has my own thoughts.

You ought to note that if you are <a href="http://idunno.org/dotNet/sessionState.aspx">using SQL for session state</a> across web farms impersonation and changing the security context will break it, and you need to make sure you also give your new context permissions to the state database
# April 24, 2004 3:34 AM

Alex Chang said:

Hi, Barry,

Thank you for your response. Your article is definitely very helpful. In your comment regarding mirroring the accounts on both the SQL server and the web server, you said "I honestly don't know why you feel these is a good solution", did you mean "I honestly don't know why you feel this is not a good solution"? If I understand your comment correctly, I think you are recommending mirroring accounts right? I had considered the mirroring account approach, but I found some people don't seem to like very much, for example: http://weblogs.asp.net/cschittko/archive/2004/03/05/85035.aspx#89562

Frankly, I really would like to find out from all the experts out there to see what really is the best way to establish a trusted connection between web server and SQL server without the use of impersonation. But like you said in your article, perhaps there really isn't the "right way" for working with trusted connection.

Again, thank you for your comment.




# May 2, 2004 3:16 AM

Barry Dorrans said:

Well if comes down to it, I want internet exposed web servers out of any domain. You can argue domain membership for intranets, but with daily attacks on exposed servers do you really want to run the risk of giving someone the ability to login to your AD?

Personal preference of course.
# May 4, 2004 3:05 PM

TrackBack said:

# May 11, 2004 2:18 PM

Phill said:

p.herd@btinternet.com

This piece of info is realy good about how to use a trusted connection.
I would be grateful if you would tell me the secret of how to actualy create a trusted connection so that i can use it. Yeah i know i guess i must be thick as Sh**, but i cannot find anywere on the internet on how to create this thing; only how to use it.
Thanks
//ps i dont mind the ridicule just so long as i get the answer

p.herd@btinternet.com

# June 11, 2004 2:20 PM

Alex Chang said:

Hi, Phil,

If you are running II6 6.0 and your web server and database server are on the same machine, then you can follow the instructions here:

http://www.asp.net/faq/AspNetAndIIS6.aspx

Not only does the article show you how to configure IIS 6 for ASP.NET, but also half way through, there are some steps on setting up the SQL server for trusted connection.

hope that helps.
# June 11, 2004 3:10 PM

TrackBack said:

^_^,Pretty Good!
# April 10, 2005 2:20 AM

Travis said:

We are looking at implementing some kind of trusted connection like this in our applications.

Which do you think is worse, using a trusted connection as described in this article, or using SQL Server accounts instead of Active Directory accounts to authenticate to the database?

# August 8, 2007 4:36 PM

Using SSPI in connection strings vs. a named SQL Server user « The Pursuit of a Life said:

Pingback from  Using SSPI in connection strings vs. a named SQL Server user &laquo; The Pursuit of a Life

# November 28, 2007 5:33 PM

Daniel said:

Small point I think should be mentioned in reference to Barry's and Alex's discussion

DB Trusted Conection with IIS running under domain account context - should be perfectly fine for Intranet applications.

For publically facing Internet sites - segragation between the IIS server and the internal organisation is a must. Usually this is achieved with a DMZ.  SQL Server authentication is probably easiest to use in this setup as windows authentication would require a separate DMZ domain.

For DMZ info... see en.wikipedia.org/.../Demilitarized_zone_(computing)

# December 14, 2007 7:42 AM

Sudip Purkayastha said:

Hi all,

I am facing one typical problem. my web server and DB server (which also having IIS server)  are on different PC. i have configured ASP.net password on both the PCs. Now, once i try to connect the DB on trusted connection, giving IMPERSONATION=false, i get the same error.

But if i write IMPERSONATION=true USERNAME="xyz" PASSWORD="xyz" it works fine. i am having IIS 5.6

Please help.

# January 22, 2008 11:20 PM

Kirill S said:

Alex,

I am so glad I ran into your web page. Your advice worked for me.

I experienced only minor differences, probably because I am working on Windows 2003 server.

To get the single sign on to work I had to disable Anonymous access  and check Basic Authentication check box in IIS manager. I also had to add few lines in the web.config file:

<authentication mode="Windows" />

<identity impersonate="true" />

Thanks,

Kirill

# January 25, 2008 5:33 PM

Kyle Beyer said:

In no particular order, here are the top ten things I&#39;ve learned to pay attention to when dealing

# February 13, 2008 1:05 AM

Vincent Yang said:

(Ref:weblogs.asp.net/.../113866.aspx)Recently,inourconsiderationt...

# February 21, 2008 10:16 PM

Thangavignesh said:

this site is very useful for me

# February 28, 2008 7:18 AM

Smita said:

The information provided here helped me understand authentication to SQL Server concepts well.

# November 12, 2008 1:13 AM

leploep said:

I followed the steps in this article:

msdn.microsoft.com/.../ms998320.aspx

(for SQL start way below)

And gave the computeraccount acces to SQL-server.

Just as easy as running on local sql

# November 24, 2008 5:28 AM

jon80 said:

I would like to configure a trusted connection between two machines, the database server running on Windows Server 2008 Standard.

Sorry if it sounds basic, but how do I go about this?

# March 14, 2009 5:14 PM

chel said:

this site is very useful...

# October 9, 2009 9:12 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)