HowTo use Windows Authentication with MSSQL 2008+Delphi 7+ADO but users would still enter their password?

It would be rather insecure and probably reduce trust in your app if you made users enter their domain user and password again, in your app. As Jeroen mentions above, the whole idea of using windows auth is that the existing user session is used!

@MarkRobinson: I don't see why such an application would be insecure? Users don't even know the difference between sql auth and windows auth and up until now within our old system they always had to provide username/password since only sql auth was used

Users don't know the difference so show them the way - if they've logged into their domain account, and by some mechanism of your software they are allowed to use your application, then by all means let them in with a click - show a splash screen that makes them aware you are "Autologging them in with their domain credentials..." or similar, that way you have made them aware that you're saving them time.

It would be insecure for the simple fact that you are adding a step that isn't required, as the windows auth login removes this very issue.

Edit1:

Re-Reading the original question, I can see that the op just wants to pop the default windows login prompt to ensure the security.

I would recommend either:

Ensure there is a screensaver, with a pertinent timeout that will force a relogin
Use LockWorkStation to force a relogin event (perhaps show a message first, along the lines of "for security, your workstation will be locked to ensure you are who you say you are"

From the page Scott W linked to, there is a good link to How to validate user credentials on Microsoft operating systems. In particular, they go into a little bit of detail about the security aspect:

Note Collecting user credentials from a User-mode application can be annoying to the users and can provide a possible security hole in the enterprise computing environment. The Unified Logon requirement (a requirement that the user should only be required to type their credentials one time at the CTRL+ALT+DEL screen), was added to the Microsoft BackOffice logo requirements for these very reasons. It is important to make sure that you really need to gather credentials and that some other method of client/server validation is not more appropriate. Consult the security documentation in the Platform SDK for more information on impersonation and programming secured servers.

I agree that it would be "convenient" to not have to enter the password again but again why would this be insecure. If that would be the case then why is SUDO used in Linux so much? Although a user is already logged on with his windows credentials I still want him to enter his password again to ADD security so in case he/she just moves for a short period of time from their desk (I know they "should" lock their screen but that's not how reality looks like) someone else could run this application under someone else's credentials.

pastacool 2010-06-22 00:07:59

+1 for mentioning 'insecure'.

Jeroen Pluimers 2010-06-22 06:51:23

@pastacool SUDO is a built in OS command, same as RUNAS under windows, which I would assume as secure (as it would have been tested more), plus I'm sure that the people who run SUDO and RUNAS know they are going to login as someone else and enter their windows credentials.Good idea on the screen saver lock, I'd rather add code that will pop the screen saver after 5 minutes inactivity then ask for a password on resume = more secure :D

MarkRobinson 2010-06-22 08:05:33

@Mark: So if you read my question you will see that I wanted to know HOW I could set up MSSQL to accomplish that and not really by implementing my own SUDO like command. That, I will agree, would be less secure.

pastacool 2010-06-22 08:27:41

Aah, I get you now - I just read your recent edit and you just wanted to pop the standard windows login prompt when your app starts to force reauthentication... I don't think it can, but ensuring there is a screen saver with a timeout that forces a relogin can be done through code (just remember to restore the initial values on exit) <- the answer :D

MarkRobinson 2010-06-22 14:02:14

@Mark: that's exactly what I wanted - should have said that in the question but if you ask for something you're so "blind" because to you everything is clear! Any idea how to handle my question now as, like "Scott W" suggested to not close/delete so someone else can at least find this discussion about it, but NOT let it hanging unanswered?

pastacool 2010-06-22 14:37:10

@pastacool Can you read? I offered two answers above - you're so blind because to you everything is clear. No need to get offensive btw, I'm only trying to help - take advice and learn from it rather than become offensive like a petulant child.

MarkRobinson 2010-06-23 07:49:10

@mark: sorry, again a misunderstanding. please replace you/you're with I/me

pastacool 2010-06-23 08:07:40

@pastacool - sorry, i did indeed misread your last comment, I apologise for the petulant child remark... my bad...

MarkRobinson 2010-07-07 07:34:31

@mark: +1 and apology accepted - I could have been clearer in the beginning. this thought me again that I shouldn't "write" like I would "talk" to someone

pastacool 2010-07-07 12:17:40

Thanks for the link, maybe I can use it somehow

pastacool 2010-06-22 00:10:48

Since the direct answer to my question is "NO, SQL Server cannot be set up that way" I will go ahead with what you suggest in yours because this way I can kind of rebuild a Linux like "SUDO" where I don't want to impersonate someone else but force the user to re-enter his password.

pastacool 2010-06-23 08:23:35

ansaurus

tags:

views:

answers:

HowTo use Windows Authentication with MSSQL 2008+Delphi 7+ADO but users would still enter their password?

related questions