Recipe 1.8 Connecting to SQL Server Using Integrated Security from ASP.NET
Problem
You want to coordinate
Windows security accounts between an ASP.NET application and SQL
Server.
Solution
Connect to SQL Server from ASP.NET using Windows
Authentication in SQL Server.
Discussion
Connecting to a SQL Server database provides
two different
authentication modes:
- Windows Authentication
-
Uses the current security identity from the Windows NT or Windows
2000 user account to provide authentication information. It does not
expose the user ID and password and is the recommended method for
authenticating a connection.
- SQL Server Authentication
-
Uses a SQL Server login account providing a user ID and password.
Integrated security requires that the SQL Server is running on the
same computer as IIS and that all application users are on the same
domain so that their credentials are available to IIS. The following
areas of the application need to be configured:
Configure the ASP.NET application so that
Integrated Windows
Authentication is enabled and
Anonymous Access is disabled. The web.config file establishes the
authentication mode that the application uses and that the
application will run as or impersonate the user. Add the following
elements to the web.config file: <authentication mode="Windows" />
<identity impersonate="true" /> The connection string must contain attributes that tell the SQL
Server that integrated security is used. Use the
Integrated Security=SSPI
attribute-and-value pair instead of the User
ID and Password attributes in
the connection string. The older attribute-and-value pair
Trusted_Connection=Yes is also supported. Add users and groups from the domain and set their access permissions
as required.
By default, ASP.NET applications run in the context of a local user
ASPNET on IIS. The account has limited permissions
and is local to the IIS computer and therefore not recognized as a
user on remote computers. To overcome this limitation when SQL Server
is not on the same computer as IIS, run the web application in the
context of a domain user recognized on both IIS and SQL Server
computers.
In addition to the areas identified where IIS and SQL Server are on
the same computer, the following additional items must be configured
if the SQL Server is on a different computer:
Ensure that the mapped domain user has required privileges to run the
web application. Configure the web application to impersonate the domain user. Add the
following elements to the web.config file for
the web application: <authentication mode="Windows" />
<identity impersonate="true" userName="domain\username"
password="myPassword" />
 | 
