Security

[Guest]

I have a client that would like the asp.net application to have security as
follows:

Impersonated using account XXXXX for the purpose of using SSPI in making the
database connection. This way no user information is stored anywhere but IIS
security settings.

At the same time the app will be in need of capturing user NT credentials to
identify who is actually accessing the web application. The NT account itself
will not be set up in SQL server. So the app can not use integrated security.

Normally the web.config would have the db connection string using a db
defined user account. However, in this case we need the db user to be the
same user as the web app is running under yet we need the client user's NT
info.

Any help is appreciated.

-Demetri

 

[Jeffrey Palermo [MCP]]

Demetri,
I'll share what we do because I do something similar. I use the
web.config file to impersonate a domain user that has access to the database
and other domain resources. I use aspnet_setreg to encrypt and store in the
registry the domain user and password. I leave the IIS settings alone and
have Windows Integrated Security set. ASP.NET is able to authenticate the
user while running the code under the impersonated account. It works great.

Best regards,
Jeffrey Palermo