Passing IIS Anonymous Account to SQL Server

M

Matt F

Hi all

I was hoping some one could clear up an ASP.Net security question I
have.

I am writing an ASP.NET application that connects to SQL Server. The
security setup (connection string and IIS) will vary depending on the
client who installs it. Some clients will undoubtedly wish to have IIS
and SQL Server on separate machines, with Anonymous authentication in
IIS, and a SQL Server connection string using Windows integrated
security.

I've found that, if I'm using windows integrated security in the
database connection string, and Anonymous authentication at IIS with an
appropriate account specified, the authentication doesn't get passed
through to the remote SQL Server. I'm using Forms authentication in the
ASP.NET app, with impersonation turned on. To get the app to work with
the SQL Server instance on another machine using the configuration
above, I've found I've had to specify a username and password in the
'identity' element where impersonation is turned on. I'm not a big fan
of this as the credentials are in clear text. With old ASP, the account
being used for IIS Anonymous authentication was used, but this seems to
no longer be the case. I know I could probably change the account in
machine.config, but this is also not acceptable given the app will be
sold pre-packaged.

Does anyone have any suggestions? Am I missing something simple??

Thanks

Matt
 
A

avnrao

I am not clear enough about making your app imerpsonation enabled.. is it
becuase SQL server needs to know the logged in client to give object based
permissions?

if you dont need impersonation, there are different ways to connect to sql
server (as almost all you mentioned). but the best way would be to create a
windows login for this purpose. give minimum permissions to this login on
the sql box. configure this account as ASP.Net identity (deafult is ASPNET).

hth,
Av.
 
M

Matt F

Hi

Thanks for your reply.

The client(s) will be setting this web application up and running it
themselves. I was therefore using impersonation (without a specific
login) in an attempt to allow them to configure IIS security how they
wish, and for the ASP.NET app to use whatever IIS is using. This also
may indeed include permissions on SQL Server. It all depends on how the
client wishes to configure their security.

If I got the client to change the ASP.NET identity, won't this affect
any other ASP.NET apps on their server?

Cheers

Matt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GoDaddy MS SQL server 2
SQL 2008 DTSX SSIS with SQL 2022 Developer 1
IIS account used for anonymous access 1
Impersonation with SQL Server SSPI 3
Custome Service Account - Problem connecting to SQL Server (Timeou 4
anonymous access account for sqlConnection 1
Public ASP.NET app and SQL Server security - best practices? 4
How to run IIS and ASP.Net on a specific AD account 3

Members online

No members online now.
Total: 46 (members: 1, guests: 45)
Robots: 477

Forum statistics

Threads
473,995
Messages
2,570,228
Members
46,818
Latest member
SapanaCarpetStudio

Latest Threads

Top