tags:

views:

34

answers:

2
+1  Q: 

perform SQL Server operations with windows user id from an ASP.NET page

I have an ASP.NET application that authenticates users using Ldap against active directory. This is, the users enter their same windows credentials on the webform to login to this application. The application is basically a SQL Server database frontend, and in my limited experience, I use the standard connectionStrings label in the web.config to enter the information to login to the database (using a SQL Server login as of right now). I want to change that so instead, each time the user connects then he or she perform the database operations with his or her windows user. Of course the database has setup those permission already to the users, but I have no idea what connection string am I suppose to use, since now there is not going to be a static user/password combo, and I don't want to create SQL Server logins to everybody that is going to use the application.

Thanks!

+2  A: 

Use the ConnectionStringBuilder class and provide it your initial connection string from the web.config. From there, change the username and password properties to match those of your current user.

public String GetUsersConnectionString(CurrentUser user) {
  string connectString = ConfigurationManager.ConnectionStrings["LocalSqlServer"]
                        .ConnectionString;

  SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
  builder.UserId = user.UserId;
  builder.Password = user.Password;

  return builder.ToString();
}
villecoder  2010-09-27 20:29:44
This would require the web page to know the user's active directory password. Typically not true for IIS running Windows authentication
Andomar  2010-09-27 20:31:01
@Andomar At some point during authentication, you're going to have to get the user's password and authenticate it against the LDAP source. At that time, if the LDAP source successfully authenticates the user, you could create the connection string and store it in the user's Session state. From that point on, all web pages know what the connection string is.
villecoder  2010-09-27 20:33:49
@villecoder: That would only work in basic authentication, when you send plaintext passwords over the wire. In most cases, the server asks the client for an MD5 hash of the password added to some other text. The web servers won't know the password.
Andomar  2010-09-27 20:39:49
@Andomar The OP states that they are using a windows form to perform LDAP authentication against Active Directory. Keyword here is windows form, meaning the application is aware of the user's password as a POST variable. The server isn't going to hash that value and then pass it to the code behind. I'm not sure where the MD5 is coming in if the authorization mode has been set to Forms.
villecoder  2010-09-27 21:18:12
@villecoder: On rereading looks like you might be right, though that would be highly unusual, sending passwords over the wire! +1 anyway
Andomar  2010-09-28 05:26:18
+1  A: 

You would have to configure the ASP.NET machine for delegation. See this knowledge base article for SQL 2000, or a newer one for SQL 2008.

We have tried it a couple of times at work, but did not manage to get it running smoothly.

Andomar  2010-09-27 20:30:12
+1 Thanks for your explanation!
Claudio Redi  2010-09-27 21:04:31

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?