views:

48

answers:

2

I have an ASP.NET application which runs under the Classic .NET AppPool in IIS.

I have a report to render from my website.

The problem is SQL Server keeps telling me that it failed to create a connection to the datasource, because login failed for user IUSR.

After adding that user directly to the databse I could get the report to work, but I'm concerned about security.

By doing that, am I opening my specified databases to all websites hosted on IIS? Or is that account identity-specific?

+2  A: 

A better way to so it would be to change the application pool identity to a specific user and add that user to the database, otherwise you are giving the standard IIS anonymous user access to the database.

Ben Robinson
As well as the above you could use the web.config to impersonate a different user account or have the application use a SQL server login instead of the credentials from the app pool.
Chris W
The downside to using sql server login is that you would have to store the password in the web.config. You can encrypt the connection string but it is more complex to maintain and administer than using windows integrated security.
Ben Robinson
+1  A: 

You're using Windows Authentication. You could use Sql Server authentication so you're independent of the current user of your client application. You should have a sql server user created with just the necessary credentials for your application and use it like this on the connection string.

Data Source=SERVER;Initial Catalog=DATABASE;Persist Security Info=True;User ID=USER;Password=PASSWORD

Claudio Redi