473,387 Members | 1,321 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > authentication and auditing: incorrect username in audit tables

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Authentication and Auditing: Incorrect Username in Audit tables

Hi,

I've been tasked with reviewing the Authentication and Auditing of an
application and database.

ASP/ASP.NET 1.1 app with SQL Server 2000 database. Separate audit trail
database on same server.

The system is intranet based and currently uses Basic Authentication on
IIS6. The application itself is mostly classic ASP, but has been
migrated into a .NET 1.1 Framework Project. So there are both .asp and
..aspx pages. We have auditing triggers on the tables in the database,
but the wrong username or no username are currently being inserted.
Authenticated users have logons to db with full DML permissions

We now have Active Directory. Most of the data access is done through a
SQLXML virtual directory using templates,schemas and updategrams. This
is using a shared login, so no user info is coming through to
SUSER_SNAME().

We intend to swap from Basic Authentication to Integrated Windows
Authentication.

Basically I want to get the real username available to the triggers in
SQL Server. I also want to tighten up the security. I am unsure what I
need in terms of impersonation, application roles or shared database
role etc. I don't have the resources for a complete redesign, but could
probably do some significant changes if necessary.

My initial stab would be use Integrated Windows Authentication on IIS
and SQLXML Virtual Directory. I think that means that I need to enable
Impersonation for the aspx pages (the asp pages should impersonate by
default ??). I should then enable an app role in the templates??? Can
you use app roles with updategrams???? Also, given that the triggers
reference a separate audit trail database, wouldn't an app role limit
access to this?

The other option is to use a shared db login for everyone and pass the
actual username in as a parameter, but that would seem to require
changes to every single query/sp in the database/app.

I'm not sure that I explained myself very well above. Hope someone can
help me figure this out! There are perhaps 2 issues here. I need to get
the authenticated user's name through to the audit table with the
minimum of fuss. 2 - I'd like to stop every man and his dog having
write access to all the tables in the database via ODBC.

Oh, I haven't mentioned app authorisation - that bit seems fine! A
table in the database.

Cheers,

James

Sep 12 '06 #1
0 1658
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
SQL Triggers for Auditing
by: Keith | last post by:
Not sure if anyone in here knows the answer to this, but I asked in a SQL group and haven't had a suitable answer and since the front end app is ASP I though I'd give here a try. I am trying to...
ASP / Active Server Pages
3
Help needed - ASP with windows integrated authentication
by: sorin | last post by:
I developed some simple ASP 3.0 pages to add some operative functionality to my app. I configured IIS to use windows integrate authentication for this pages and it's working just fine. For...
ASP / Active Server Pages
10
Database design question: ugliness or referential integrity?
by: Paulo Jan | last post by:
Hi all: Let's say I'm designing a database (Postgres 7.3) with a list of all email accounts in a certain server: CREATE TABLE emails ( clienteid INT4, direccion VARCHAR(512) PRIMARY KEY,...
PostgreSQL Database
0
ASP.NET Forms Authentication Best Practices
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET...
ASP.NET
0
forms authentication
by: nicholas | last post by:
I'm using role based forms authetication with user-info in a database. I used this with a SQL database (sql 2000 server) and it worked 100%. Now, I want to use the same code, but with a database...
ASP.NET
14
Using Dispose for auditing?
by: Jonas | last post by:
Hi! I'm developing the middletiers of an ASP.NET application in VB.NET. I've got a business logic layer in which I would like to perform auditing to a database. Instead of making an auditing...
Visual Basic .NET
6
Auditing:Extracting changed fields from Inserted table
by: Rico | last post by:
Hello, I'm creating an audit table and associated triggers to be able to capture any updates and deletes from various tables in the database. I know how to capture the records that have been...
Microsoft SQL Server
5
Login, authentication: After entering username+psw nothing happens?
by: libra786 | last post by:
I have created a blog and have added a login box which prompts the user for login and id before posting- The username and password have been stored in the database, however when i enter the username...
PHP
1
Auditing with an Oracle back end?
by: BiffMaGriff | last post by:
Hello, I have a .net web app with an Oracle back end and I need to audit my database. I created this template trigger that I was using on inserts, edit & deletes however... "CREATE OR REPLACE...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!