help.net

Comment from Frans:

"Rather than use SQL authentication when connecting from ASP.NET to SQL Server, you should use native windows authentication -- but lock down access not to the identity of the calling user, but rather to that of the ASP.NET worker process identity of the running application. That way you can restrict access to only allow the application access to the data (not the end users using it). You also do not have to worry about the SQL authentication usernames/passwords ever being compromised and access in these scenarios -- since no username/password is ever stored in an unencrypted way"
That's wrong, sorry. If I have 2 machines, one being the IIS server and the other one being the sqlserver machine, the ASP.NET account is LOCAL to the IIS server. I can't use that account to access the sqlserver instance and do things there. I then have to add the SAME user to the sqlserver machine as well with the SAME password, also as local account.

-> 2 times the same user and it 'works' because they have the same credentials, but they are different users.

On the DOTNET-CLR mailing list we had a lengthy discussion about this a month or so ago and we all concluded that it wasn't possible to do this how MS tells us to do it. On 1 box, it's no problem (sqlserver and IIS on one machine). There is however a problem with the contradiction between the advice from MS not to run your sqlserver/iis boxes in a domain / as a PDC/BDC, so you use local defined accounts on the IIS box, not domain users, and the fact that it is impossible to access box B from box A when you are logged in on A as a local user (ASPNET) of A which is not known on B.

Apprently I am not the only one to have the blues ;-)

What a night. I was just working like a dog on some coding for my stuff.

After some few hours of long coding, I finally obtain the most beautiful...
BLANK screen.

Doh ! Well at last, my code seems to work and it's one of my most complex one to obtain a white page.

I know I should be shame of myself, and now I face some more long hours of debugging this.

But I believe that it's the common thing for everybody there. Whatever happened, I prefer to laugh about it.
I should probably wrote less code, and think more about debugging, but ... whatever.

The blues is gone, I'm back now

From Scott Guthrie

Interesting comment from Frans:

I found interesting these new articles about SQL 2000 security (source Microsoft)
The figure shows security vulnerabilities in a simple multi-tier system

Hey Ralf nice to see your experience in TechEd.... in german :-((

Also I say that because I know that you are writing for your country but in case you don't know that, TechEd is an international event.

Are you going to speak only in german in Barcelona ( How do you say tortilla in german ?) :-))