473,574 Members | 3,218 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Authentication

Hello All,
i was wondering what is the main difference between the windows
authentication and mixed mode authentication? ?
according to security recommendations , we should enable windows
authentication, rather than mixed one, i don get the point why do we
refuse the mixed mode authentication, although it includes windows
authentication together with an extra layer of defense by the aid of an
extra authentication mechanism, sql authentication.

i hope i can find out why??
if anyone can recommend me some papers or books, i'll be thankfull but
i hope it explains from the security point of view.

Thanx for time and sorry for interruption

Jun 14 '06 #1
6 4752
(En******@gmail .com) writes:
i was wondering what is the main difference between the windows
authentication and mixed mode authentication? ?
according to security recommendations , we should enable windows
authentication, rather than mixed one, i don get the point why do we
refuse the mixed mode authentication, although it includes windows
authentication together with an extra layer of defense by the aid of an
extra authentication mechanism, sql authentication.


No, mixed mode does not give you any extra layer of protection.

In the beginning, SQL Server only had one means of authetication: username
and password stored in the master database in SQL Server. To connect to SQL
Server, you needed to specify username and password. This is today known as
SQL authentication.

Later Microsoft added Windows authentication which permits you to log in
with your Windows credentials. This is known as "Windows authenticiation ",
"Trusted connnection" or "Integrated Security".

In SQL 6.x you had three choices: Windows authenticaton only, SQL
authentication only or both. With SQL 7, Microsoft removed the alternative
SQL authentication only.

Windows Authentication is generally regarded as more secure in SQL 2000,
because SQL Server does not have any means to check password strength,
lock accounts with many failed logins etc. Also, it's fairly easy to
crack a password sent over the wire, as the "encryption " is just a mild
form of obfustication. Some of these issues has been resolved in SQL 2005,
provided that you use Widows 2003.

However, Windows authentication requires that both client and server are
in the same domain, or are in domains that trust each other. Mixed mode
is also conventient when you work in a development environment and need
to load stored procedures etc from a privileged account, but you need to
test the application as a low-priv user.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Jun 14 '06 #2
thats a gr8 help, i really appreciate it :).

but i was wondering, what if the client and server were of different
domains, shall we be using only the SQL authentication only???

if yes, is there any other situation where we can't use windows
authentication? ??

thanx again for ur gr8 help :D

Jun 14 '06 #3
(En******@gmail .com) writes:
thats a gr8 help, i really appreciate it :).

but i was wondering, what if the client and server were of different
domains, shall we be using only the SQL authentication only???
Unless you can set up some trust between them you need to use SQL
authentication.

Here I need to add this is a question that requires good knowledge about
Windows networking, which I do not possess.
if yes, is there any other situation where we can't use windows
authentication? ??


If you don't have a domain at all, but only a Workgroup, Windows
authentication can be difficult. Username and password must match,
but this may not be enough. For instance, I run virtual machines on
my comnputer at home, and from the host machine I connect to SQL Server
on the virtual machines with Windows authentication, and and Windows
authentication also works between virtual machine. But it does not
work from virtual machines to the SQL Server instances on the host
machine.

If the client comes from a non-Windows OS it may be even more difficult
to use Windows authentication. Obviously.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Jun 14 '06 #4
> Unless you can set up some trust between them you need to use SQL
authentication.


how can i only enforce sql authenticaion, although the only two options
available are Windows authentication only or mixed mode.

this means that there always has to be trust between domains or that
they be on the same domain.

else how can enforce SQL authentication only!!!!!
sorry for all these questions
i really appreciate ur help
Thanx for time

Jun 15 '06 #5
(En******@gmail .com) writes:
how can i only enforce sql authenticaion, although the only two options
available are Windows authentication only or mixed mode.

this means that there always has to be trust between domains or that
they be on the same domain.

else how can enforce SQL authentication only!!!!!


Not sure that I understand your question. You cannot configure SQL Server
to not permit Windows authentication at all. But if you put the SQL Server
machine in its own domain (or a workgroup), the only way to log in with
Windows authnetication is on the local machine.

Note that SQL authetnication is not dependent on domains trusting each
other.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Jun 15 '06 #6
On 14 Jun 2006 22:04:33 -0700, En******@gmail. com wrote:
Unless you can set up some trust between them you need to use SQL
authentication.


how can i only enforce sql authenticaion, although the only two options
available are Windows authentication only or mixed mode.

this means that there always has to be trust between domains or that
they be on the same domain.

else how can enforce SQL authentication only!!!!!


Hi Eng.Rana,

Though you can't disable the mechanism for Windows authentication, you
can render it unfunctional by granting nobody the right to login with
Windows authentication.

Windows authentication doesn't mean that every domain user suuddenly has
the right to connect to SQL Server - you have to explicitly allow this
to individual Windows accounts or groups. In SQL Server 2000, you used
the sp_grantdbacces s stored pprocedure (or some graphical tool) for
this; in SQL Server 2005, this stored procedure is replaced by the
CREATE LOGIN xxx FROM WINDOWS command..

Note that by default, all windows accounts that are in the
builtin/administrators group have access to the DB using Windows
authentication. If you realy want to force everyone to use SQL
authentication, you'll have to remove these logins (using
sp_revokedbacce ss or DROP LOGIN). I have never tried if this works,
because I'm scared that I'll forget my sa password and never be able to
regain access to the DB. <g>

--
Hugo Kornelis, SQL Server MVP
Jun 15 '06 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
9273
by: Michael Foord | last post by:
#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. # No warranty express or implied for the accuracy, fitness to purpose
8
3685
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The rest of my application is using authentication that is...
6
4809
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and...
9
2499
by: Tom B | last post by:
In my web.config file I've specified Windows for the authentication, in IIS I've set it to Integrated Authentication. But my SQL connection is still showing Anonymous. Is there somewhere else I need to check? Thanks Win 2003, SQL Server 2000
0
4211
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET Applications and owner of Access Microsystems. Doug can be reached at doug@accessmicrosystems.com....
4
6792
by: Andrew | last post by:
Hey all, I would like to preface my question by stating I am still learning ASP.net and while I am confident in the basics and foundation, the more advanced stuff is still a challenge. Ok. :)
0
1513
by: Albertas | last post by:
What I'm doing wrong that I can't make my authentication to work. Here is the situation: I'm hosting a Web Service from a Windows forms application, using .NET Framework 3.0 WCF. And I want to implement user authentication. Here is my Web Service class called "methods": public class Authentication : SoapHeader { public String user;...
18
3398
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found dozens of examples of how to authenticate users against Active Directory, but AD seems to be a different animal than Sun Java System Directory Server....
2
7507
by: Frank Swarbrick | last post by:
I am trying to understand "client authentication" works. My environment is DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4 as the client. We currently have DB2/LUW set up as follows: Client Userid-Password Plugin (CLNT_PW_PLUGIN) = Client Kerberos Plugin (CLNT_KRB_PLUGIN) = Group Plugin ...
5
3539
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the creation of content which adjusts based on the user. I have several pages which require a user to be logged on and several which do not. Prior to this...
0
7841
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
8271
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7858
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
6511
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5654
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5335
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3774
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
1
1369
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1099
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.