Is there a way to use ASP.NET's windows authentication so that the user that
is using our web page is the user that is connected to our SQL Server? This
will allow us to leverage our domain roles/groups. Our connection string is
below.
The options I've found so far I don't like:
1. Impersonation - sql server permissions would be granted to this single
account.
2. Granting rights to the ASP.NET user account on our SQL Server - sql
server permissions would be granted to this account.
In both cases, we could pass the name as a parameter so we can audit the
activity, but we'd really like our sql server security to be based on our
windows logins - not the rights of some other account like the impersonated
account or the ASP.NET account.
Suggestions? Thanks in advance!
MarkUse impersonation and disable anonymous authentication (in IIS.)
Also in IIS make sure integrated windows authentication is checked.
This way it should run under the user's account.
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
Hire top-notch developers at http://www.able-consulting.com
"Mark" <mfield@.idonotlikespam.cce.umn.edu> wrote in message
news:uzFNDlNwDHA.3220@.tk2msftngp13.phx.gbl...
> Is there a way to use ASP.NET's windows authentication so that the user
that
> is using our web page is the user that is connected to our SQL Server?
This
> will allow us to leverage our domain roles/groups. Our connection string
is
> below.
> The options I've found so far I don't like:
> 1. Impersonation - sql server permissions would be granted to this single
> account.
> 2. Granting rights to the ASP.NET user account on our SQL Server - sql
> server permissions would be granted to this account.
> In both cases, we could pass the name as a parameter so we can audit the
> activity, but we'd really like our sql server security to be based on our
> windows logins - not the rights of some other account like the
impersonated
> account or the ASP.NET account.
> Suggestions? Thanks in advance!
> Mark
Interesting. I will try this out, but your first sentence strikes me as
non-intuitive. Impersonation (to me) means that you're going to use an
account other than the one that is currenlty logged in. For example, if I
enter the impersonation information (see below) into the web.config, how do
I make it use the current users account, rather than some specific account?
Is there an alternative syntax?
<authentication mode="Windows" />
<identity impersonate="true" userName="domain\username"
password="password"/
Thanks Steve.
Mark
"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
news:%23ADjpwNwDHA.2148@.TK2MSFTNGP12.phx.gbl...
> Use impersonation and disable anonymous authentication (in IIS.)
> Also in IIS make sure integrated windows authentication is checked.
> This way it should run under the user's account.
> --
> I hope this helps,
> Steve C. Orr, MCSD, MVP
> http://Steve.Orr.net
> Hire top-notch developers at http://www.able-consulting.com
>
> "Mark" <mfield@.idonotlikespam.cce.umn.edu> wrote in message
> news:uzFNDlNwDHA.3220@.tk2msftngp13.phx.gbl...
> > Is there a way to use ASP.NET's windows authentication so that the user
> that
> > is using our web page is the user that is connected to our SQL Server?
> This
> > will allow us to leverage our domain roles/groups. Our connection
string
> is
> > below.
> > The options I've found so far I don't like:
> > 1. Impersonation - sql server permissions would be granted to this
single
> > account.
> > 2. Granting rights to the ASP.NET user account on our SQL Server - sql
> > server permissions would be granted to this account.
> > In both cases, we could pass the name as a parameter so we can audit the
> > activity, but we'd really like our sql server security to be based on
our
> > windows logins - not the rights of some other account like the
> impersonated
> > account or the ASP.NET account.
> > Suggestions? Thanks in advance!
> > Mark
Don't specify a particular user. Let IIS take care of that. So your
identity impersonate line should look like this:
<identity impersonate="true"/
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
Hire top-notch developers at http://www.able-consulting.com
"Mark" <field027_nospam_@.umn.edu> wrote in message
news:e$o0DzOwDHA.2448@.TK2MSFTNGP12.phx.gbl...
> Interesting. I will try this out, but your first sentence strikes me as
> non-intuitive. Impersonation (to me) means that you're going to use an
> account other than the one that is currenlty logged in. For example, if I
> enter the impersonation information (see below) into the web.config, how
do
> I make it use the current users account, rather than some specific
account?
> Is there an alternative syntax?
> <authentication mode="Windows" />
> <identity impersonate="true" userName="domain\username"
> password="password"/>
> Thanks Steve.
> Mark
>
> "Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
> news:%23ADjpwNwDHA.2148@.TK2MSFTNGP12.phx.gbl...
> > Use impersonation and disable anonymous authentication (in IIS.)
> > Also in IIS make sure integrated windows authentication is checked.
> > This way it should run under the user's account.
> > --
> > I hope this helps,
> > Steve C. Orr, MCSD, MVP
> > http://Steve.Orr.net
> > Hire top-notch developers at http://www.able-consulting.com
> > "Mark" <mfield@.idonotlikespam.cce.umn.edu> wrote in message
> > news:uzFNDlNwDHA.3220@.tk2msftngp13.phx.gbl...
> > > Is there a way to use ASP.NET's windows authentication so that the
user
> > that
> > > is using our web page is the user that is connected to our SQL Server?
> > This
> > > will allow us to leverage our domain roles/groups. Our connection
> string
> > is
> > > below.
> > > > The options I've found so far I don't like:
> > > 1. Impersonation - sql server permissions would be granted to this
> single
> > > account.
> > > 2. Granting rights to the ASP.NET user account on our SQL Server - sql
> > > server permissions would be granted to this account.
> > > > In both cases, we could pass the name as a parameter so we can audit
the
> > > activity, but we'd really like our sql server security to be based on
> our
> > > windows logins - not the rights of some other account like the
> > impersonated
> > > account or the ASP.NET account.
> > > > Suggestions? Thanks in advance!
> > > Mark
> >
Slick! Thank you!
"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
news:ud9a4vPwDHA.1736@.TK2MSFTNGP09.phx.gbl...
> Don't specify a particular user. Let IIS take care of that. So your
> identity impersonate line should look like this:
> <identity impersonate="true"/>
> --
> I hope this helps,
> Steve C. Orr, MCSD, MVP
> http://Steve.Orr.net
> Hire top-notch developers at http://www.able-consulting.com
>
> "Mark" <field027_nospam_@.umn.edu> wrote in message
> news:e$o0DzOwDHA.2448@.TK2MSFTNGP12.phx.gbl...
> > Interesting. I will try this out, but your first sentence strikes me as
> > non-intuitive. Impersonation (to me) means that you're going to use an
> > account other than the one that is currenlty logged in. For example, if
I
> > enter the impersonation information (see below) into the web.config, how
> do
> > I make it use the current users account, rather than some specific
> account?
> > Is there an alternative syntax?
> > <authentication mode="Windows" />
> > <identity impersonate="true" userName="domain\username"
> > password="password"/>
> > Thanks Steve.
> > Mark
> > "Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
> > news:%23ADjpwNwDHA.2148@.TK2MSFTNGP12.phx.gbl...
> > > Use impersonation and disable anonymous authentication (in IIS.)
> > > Also in IIS make sure integrated windows authentication is checked.
> > > This way it should run under the user's account.
> > > > --
> > > I hope this helps,
> > > Steve C. Orr, MCSD, MVP
> > > http://Steve.Orr.net
> > > Hire top-notch developers at http://www.able-consulting.com
> > > > > > "Mark" <mfield@.idonotlikespam.cce.umn.edu> wrote in message
> > > news:uzFNDlNwDHA.3220@.tk2msftngp13.phx.gbl...
> > > > Is there a way to use ASP.NET's windows authentication so that the
> user
> > > that
> > > > is using our web page is the user that is connected to our SQL
Server?
> > > This
> > > > will allow us to leverage our domain roles/groups. Our connection
> > string
> > > is
> > > > below.
> > > > > > The options I've found so far I don't like:
> > > > 1. Impersonation - sql server permissions would be granted to this
> > single
> > > > account.
> > > > 2. Granting rights to the ASP.NET user account on our SQL Server -
sql
> > > > server permissions would be granted to this account.
> > > > > > In both cases, we could pass the name as a parameter so we can audit
> the
> > > > activity, but we'd really like our sql server security to be based
on
> > our
> > > > windows logins - not the rights of some other account like the
> > > impersonated
> > > > account or the ASP.NET account.
> > > > > > Suggestions? Thanks in advance!
> > > > Mark
> > > > > >
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment