By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,883 Members | 2,037 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,883 IT Pros & Developers. It's quick & easy.

Passing IIS Anonymous Account to SQL Server

P: n/a
Hi all

I was hoping some one could clear up an ASP.Net security question I
have.

I am writing an ASP.NET application that connects to SQL Server. The
security setup (connection string and IIS) will vary depending on the
client who installs it. Some clients will undoubtedly wish to have IIS
and SQL Server on separate machines, with Anonymous authentication in
IIS, and a SQL Server connection string using Windows integrated
security.

I've found that, if I'm using windows integrated security in the
database connection string, and Anonymous authentication at IIS with an
appropriate account specified, the authentication doesn't get passed
through to the remote SQL Server. I'm using Forms authentication in the
ASP.NET app, with impersonation turned on. To get the app to work with
the SQL Server instance on another machine using the configuration
above, I've found I've had to specify a username and password in the
'identity' element where impersonation is turned on. I'm not a big fan
of this as the credentials are in clear text. With old ASP, the account
being used for IIS Anonymous authentication was used, but this seems to
no longer be the case. I know I could probably change the account in
machine.config, but this is also not acceptable given the app will be
sold pre-packaged.

Does anyone have any suggestions? Am I missing something simple??

Thanks

Matt
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 18 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
I am not clear enough about making your app imerpsonation enabled.. is it
becuase SQL server needs to know the logged in client to give object based
permissions?

if you dont need impersonation, there are different ways to connect to sql
server (as almost all you mentioned). but the best way would be to create a
windows login for this purpose. give minimum permissions to this login on
the sql box. configure this account as ASP.Net identity (deafult is ASPNET).

hth,
Av.

"Matt F" <an*******@devdex.com> wrote in message
news:OU**************@tk2msftngp13.phx.gbl...
Hi all

I was hoping some one could clear up an ASP.Net security question I
have.

I am writing an ASP.NET application that connects to SQL Server. The
security setup (connection string and IIS) will vary depending on the
client who installs it. Some clients will undoubtedly wish to have IIS
and SQL Server on separate machines, with Anonymous authentication in
IIS, and a SQL Server connection string using Windows integrated
security.

I've found that, if I'm using windows integrated security in the
database connection string, and Anonymous authentication at IIS with an
appropriate account specified, the authentication doesn't get passed
through to the remote SQL Server. I'm using Forms authentication in the
ASP.NET app, with impersonation turned on. To get the app to work with
the SQL Server instance on another machine using the configuration
above, I've found I've had to specify a username and password in the
'identity' element where impersonation is turned on. I'm not a big fan
of this as the credentials are in clear text. With old ASP, the account
being used for IIS Anonymous authentication was used, but this seems to
no longer be the case. I know I could probably change the account in
machine.config, but this is also not acceptable given the app will be
sold pre-packaged.

Does anyone have any suggestions? Am I missing something simple??

Thanks

Matt
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #2

P: n/a
Hi

Thanks for your reply.

The client(s) will be setting this web application up and running it
themselves. I was therefore using impersonation (without a specific
login) in an attempt to allow them to configure IIS security how they
wish, and for the ASP.NET app to use whatever IIS is using. This also
may indeed include permissions on SQL Server. It all depends on how the
client wishes to configure their security.

If I got the client to change the ASP.NET identity, won't this affect
any other ASP.NET apps on their server?

Cheers

Matt

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.