integrated Secure with Sql Server

[ad]

I want to set integrated Secure in my connect string to SQL Server

I set the connect string as:

workstation id=xxx;packet size=4096;integrated security=SSPI;initial
catalog=vvv;persist security info=False

and I have execute sp_grantlogin 'ServerName\ASPNET' in Sql Query Analyzer

But when I execute my web application, it result an error at line:

¦bsqlDataAdapter1.Fill(dataset1);

The error message is 'NT AUTHORITY\NETWORK SERVICE'

How can I solve this problem?

 

[Scott Allen]

Hi ad:

It sounds like you are on Win 2003 which uses the NETWORK SERVICE
account to run the worker process instead of the ASPNET account.
You'll need to grant the 'NT AUTHORITY\NETWORK SERVICE' a login it and
database privs.

 

[ad]

Thank
But I have still some question
1. Why I can't find the 'NT AUTHORITY\NETWORK SERVICE' in my Windows 2003
account?
2. Must I must give the database db owner to 'NT AUTHORITY\NETWORK SERVICE'
? Can I give 'NT AUTHORITY\NETWORK SERVICE' a lower role?

 

[Cowboy \(Gregory A. Beamer\)]

Thank
But I have still some question
1. Why I can't find the 'NT AUTHORITY\NETWORK SERVICE' in my Windows 2003
account?

The service is in there on the local box.

2. Must I must give the database db owner to 'NT AUTHORITY\NETWORK SERVICE'
? Can I give 'NT AUTHORITY\NETWORK SERVICE' a lower role?

You can give very granular rights. Select the objects you want to hit and
give the rights to the account there.


NOTE: This is not the best way to give access to SQL Server. In this
instance, you are potentially less secure than you are using a UID and PWD
in your connection string. The better method is to force people to log in,
using WIndows Authentication, and give Domain Users access to the objects
(still a bit insecure, but less than allowing the entire web world access).
This does not work with Internet apps, of course.

Another possibility is to set up a web service and give it rights to SQL and
have the web server use it. You can then give access to the NETWORK SERVICE
account without opening everything to the web directly. Still less secure
than other means.

COM+ is another option where you can assign a specific user. It is also
possible, but rather complex, to set up a service that uses a specific
account and run some form of persistence layer to serve data.

--
Gregory A. Beamer
MVP; MCP: +I, SD, SE, DBA

*************************************************
Think outside the box!
*************************************************

 

[ad]

Thank a lot!



1. So that you mean 'NT AUTHORITY\NETWORK SERVICE' is not a user account?
2. What is the local box?

The service is in there on the local box.