If you are using .Net 2.0 you can in fact encrypt the username and password
but you have to keep in mind it would still get decrypted to be used. Any
text in memory can actually be seen by other code if code security is not
carefully planned. All text ends up in memory so unencrypting it is
superficial. I'd make sure my file security prevents access to that web
config file.
If you are concerned about saving the password in the config file you may
actually have a much bigger problem. No one should have access to that file
in production other than an administrator.
What I sometimes prefer to do is have an administrator actually use what is
know as cached credentials and manually enter the account information that
the application will run under. The operating system will actually use
operating system level encryption to store the credentials.
You'll have to hunt down the exact admin steps to set that up becuase it
depends on your situation.
Hope it helps,
Timothy Paul Narron
"Saqib Ali" <do*********@gmail.comwrote in message
news:11**********************@m58g2000cwm.googlegr oups.com...
>I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.
I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.
Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?
Thanks
saqib
http://www.full-disk-encryption.net