ASP.NET: Windows Authentication on SQL Server

Many of you know that Microsoft suggests using the security provided by inherent windows auth when logging into SQL Server from an ASP.NET application. With Windows 2000 this usually means adding the ASPNET user to SQL Server or the NETWORK SERVICE user for Windows 2003. This is all fine except when you are faced with authenticating against a SQL instance that is not local. It is at this point that most developers usually give up and use SQL authentication. Those who Google the problem however will be presented with a solution that advises a change to the machine.config processModel element. Here you will specify a username and password other than the default MACHINE/AutoGenerate pair.

Might I suggest looking at the element. By simply adding this element to your web.config you can specify to the runtime what user to impersonate and thus us a Domain user name and password that has been granted access to the SQL server.

 ex:
<identity impersonate="true" userName="DOMAIN\User" password="xxxxxx"/>

Looking at the doc on MSDN you will also find that it is possible to encrypt the user name and password, store them in the registry and reference the registry entries.

 ex: 
 <identity>
         userName="registry:HKLM\Software\AspNetIdentity,Name"
         password="registry:HKLM\Software\AspNetIdentity,Pwd"
 identity>


 

2 Comments

  • Funny, I had to deal with this just the other day. The IT guys were happy that the admin password was not in a plain text file... (Don't even get me started on why they gave my app admin priveleges. I would have been happy with a user account that can only insert, update, and select.)

  • The main reason for using windows authentication seems to be that it avoids storing a SQL server password in the config file.



    Storing a windows password in a config file seems defeat the object and would be even less advisable.

Comments have been disabled for this content.