Platform: Win 2003 Server, ASP.NET 1.1, SQL Server 2000 or 2005
I need to create an ASP.NET app that is going to be published on an
external web site. User authentication is Windows Integrated (no
forms authentication or anonymous access).
The app will utilize a SQL database on the same server, and I was
wondering how I should handle SQL security.
For internal apps I always use a single unprivileged SQL account per
app: that simplifies the configuration and uses SQL connection pooling
effectively. But I would not want to have SQL authentication enabled
on this server and want to stick to Windows trusted authentication.
I would rather avoid enabling identity impersonation in my app. But
how would I then connect to the database? One way is to give to
application thread account (local ASPNET, Network Identity) desired
permission on the database level. Is this really the way?
Thanks!
6  1841 
"Usenet User" <no*****@no.waywrote in message
news:re********************************@4ax.com...
I would rather avoid enabling identity impersonation in my app.
Why? Seems to be a perfect solution...
--
Mark Rae
ASP.NET MVP http://www.markrae.net
On Sun, 21 Sep 2008 20:18:41 +0100, "Mark Rae [MVP]"
<ma**@markNOSPAMrae.netwrote:
>"Usenet User" <no*****@no.waywrote in message
news:re********************************@4ax.com.. .
>I would rather avoid enabling identity impersonation in my app.
Why? Seems to be a perfect solution...
Well, aside from extra maintenance effort (every user needs to have
access to the database), this would also, I believe, scale poorly due
to ineffective SQL connection pooling, because every app instance will
use different credentials when connecting to the DB.
Also, identity impersonation was the default model in classic ASP,
which is considered one of the significant drawbacks of that
technology.
Or am I missing something?
Thanks!
"Usenet User" <no*****@no.waywrote in message
news:tj********************************@4ax.com...
On Sun, 21 Sep 2008 20:18:41 +0100, "Mark Rae [MVP]"
<ma**@markNOSPAMrae.netwrote:
>>"Usenet User" <no*****@no.waywrote in message
news:re********************************@4ax.com. ..
>>I would rather avoid enabling identity impersonation in my app.
Why? Seems to be a perfect solution...
Well, aside from extra maintenance effort (every user needs to have
access to the database), this would also, I believe, scale poorly due
to ineffective SQL connection pooling, because every app instance will
use different credentials when connecting to the DB.
Also, identity impersonation was the default model in classic ASP,
which is considered one of the significant drawbacks of that
technology.
Or am I missing something?
You most certainly are.
With identity impersonation, your ASP.NET app runs in the context of a
single user whose privileges you assign - nothing whatsoever to do with the
individual users who use the app... http://msdn.microsoft.com/en-us/libr...18(VS.71).aspx
--
Mark Rae
ASP.NET MVP http://www.markrae.net
Well, I am a bit confused...
If you do not want to mess with every user having an account on SQL server
then why not create single account and allow application work through that.
Why do you want to use Integrated Security for your connection strings.
If you are afraid that someone will connect to SQL server directly then
check if you have a firewall and use it.
----------------------------------------------------------------------
Also I am not clear why would you want to use NT authentication and disable
anonymous access.
I belive only IE supports NT athentication. So people who is using Firefox
will not be able to access.
George.
"Usenet User" <no*****@no.waywrote in message
news:tj********************************@4ax.com...
On Sun, 21 Sep 2008 20:18:41 +0100, "Mark Rae [MVP]"
<ma**@markNOSPAMrae.netwrote:
>>"Usenet User" <no*****@no.waywrote in message
news:re********************************@4ax.com. ..
>>I would rather avoid enabling identity impersonation in my app.
Why? Seems to be a perfect solution...
Well, aside from extra maintenance effort (every user needs to have
access to the database), this would also, I believe, scale poorly due
to ineffective SQL connection pooling, because every app instance will
use different credentials when connecting to the DB.
Also, identity impersonation was the default model in classic ASP,
which is considered one of the significant drawbacks of that
technology.
Or am I missing something?
Thanks!
On Mon, 22 Sep 2008 01:13:53 +0100, "Mark Rae [MVP]"
<ma**@markNOSPAMrae.netwrote:
>"Usenet User" <no*****@no.waywrote in message
news:tj********************************@4ax.com.. .
>On Sun, 21 Sep 2008 20:18:41 +0100, "Mark Rae [MVP]"
<ma**@markNOSPAMrae.netwrote:
>>>"Usenet User" <no*****@no.waywrote in message
news:re********************************@4ax.com ...
I would rather avoid enabling identity impersonation in my app.
Why? Seems to be a perfect solution...
Well, aside from extra maintenance effort (every user needs to have
access to the database), this would also, I believe, scale poorly due
to ineffective SQL connection pooling, because every app instance will
use different credentials when connecting to the DB.
Also, identity impersonation was the default model in classic ASP,
which is considered one of the significant drawbacks of that
technology.
Or am I missing something?
You most certainly are.
With identity impersonation, your ASP.NET app runs in the context of a
single user whose privileges you assign - nothing whatsoever to do with the
individual users who use the app...
http://msdn.microsoft.com/en-us/libr...18(VS.71).aspx
It turns out, it can be both: either the user himself is impersonated,
or a single pre-configured user is impersonated. (I am dismissing
anonymous access here.) A single pre-configured user is, probably,
what I am looking for. Thanks for pointing this out.
On Mon, 22 Sep 2008 00:20:02 -0400, "George" <no*****@comcast.net>
wrote:
>Well, I am a bit confused...
If you do not want to mess with every user having an account on SQL server
then why not create single account and allow application work through that.
I forgot that it is possible: to impersonate just a single NT user.
>Why do you want to use Integrated Security for your connection strings.
If you are afraid that someone will connect to SQL server directly then
check if you have a firewall and use it.
Well, this goes beyond my involvement. I can suggest, but I cannot
control or guarantee that this will happen. Disabling SQL
authentication seems like an extra measure I can take, that's all.
>----------------------------------------------------------------------
Also I am not clear why would you want to use NT authentication and disable
anonymous access.
I belive only IE supports NT athentication. So people who is using Firefox
will not be able to access.
That is to pass on user management. Implementing forms authentication
along user management within the app is too expensive in terms of time
and money. As far as Windows already provides authentication, we can
utilize that. Other browsers are of no concern, IE is a requirement
for the end users.
Thanks!
>
George.
"Usenet User" <no*****@no.waywrote in message
news:tj********************************@4ax.com.. .
>On Sun, 21 Sep 2008 20:18:41 +0100, "Mark Rae [MVP]"
<ma**@markNOSPAMrae.netwrote:
>>>"Usenet User" <no*****@no.waywrote in message
news:re********************************@4ax.com ...
I would rather avoid enabling identity impersonation in my app.
Why? Seems to be a perfect solution...
Well, aside from extra maintenance effort (every user needs to have
access to the database), this would also, I believe, scale poorly due
to ineffective SQL connection pooling, because every app instance will
use different credentials when connecting to the DB.
Also, identity impersonation was the default model in classic ASP,
which is considered one of the significant drawbacks of that
technology.
Or am I missing something?
Thanks!
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ryan N. |
last post by:
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...
In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB...
|
by: byrocat |
last post by:
I'm chasing after a documetn that was available on one of the Microsoft
websites that was titled somethign like "MS SQL Server Best Practices"
and detailed a nyumber of best practices about...
|
by: Matt Kruse |
last post by:
http://www.JavascriptToolbox.com/bestpractices/
I started writing this up as a guide for some people who were looking for
general tips on how to do things the 'right way' with Javascript. Their...
|
by: Winston Nimchan |
last post by:
Hi:
I am trying to develop a server application that listens for incoming
network request and processes these requests. Processing request involves
analyzing the packet, applying business rules,...
|
by: john doe |
last post by:
A quick question, about so-called 'best practices', I'm interested in
which of A/B of the two examples people would choose, and why.
public enum MyEnum
{
Option1 = 0,
Option2 = 1,
Option3 =...
|
by: Wiktor Zychla |
last post by:
Hello,
after several investigations around ASP.NET, I would like to ask about
the best practices for building a secure database application.
suppose I wish to use Forms authentication in...
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET...
|
by: jojobar |
last post by:
Hello,
I am trying to use vs.net 2005 to migrate a project originally in vs.net
2003. I started with creation of a "web site", and then created folders for
each component of the site.
I read...
|
by: David Helgason |
last post by:
I think those best practices threads are a treat to follow (might even
consider archiving some of them in a sort of best-practices faq), so
here's one more.
In coding an game asset server I want...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
