tags:

views:

153

answers:

4
Q: 

How to get ASPNET to be recognized as a Trusted Connection by SQL Server 2005

Here's the situaiton. I'm working on developing a new website to access an old database. This is a DoD installation so there's lots of security around.

The current application is written in classic ASP, VBScript and some javascript. The new systems is ASP.NET.

Accessing the database in the old system meant hitting the server with your own credentials (domainname\username). Now I'm trying to test some of the early development I've done. When I used Cassini (under VS2008), I had no trouble getting to the database because ourdomain\myusername registered with the SQL Server instance as a trusted connection. Due to security aspects that I have to write, Cassini can't serve as a test server anymore - I have to use IIS (we have security card readers here). Cassini can't handle them.

So when I went through all the problems of getting the appropriate accounts added to Administrators on my local pc so that I could debug in VS2008 while using IIS, I tried to connect to the database and I was rejected because MYPC\ASPNET was not a trusted connection.

Altering the existing database is out of the question. Hard coding usernames and passwords for access to the database is out of the question.

I asked the DBA if he could add MYPC\ASPNET to of the domain groups so that SQL Server could see it as a trusted connection (since MYDOMAIN\MYNAME was in a group that was seen as a trusted connection). He tells me that is not technically possible.

In the end there are going to be three or four machines (mine, another developer, the eventual live web server and a future test web server) who's ASPNET accounts are going to be hitting our two SQL servers (live and test).

What do I have to do to make the existing SQL server see me as Friend and not Foe? I looked at impersonation but I get the impression it's not compatible with our system - the business rules make a call to a common routine to create a SqlConnection object and open it (maybe even a SqlTransaction object to go with it) and this object is used for the rest of the business rules and data-access layer until it's done. It didn't look like impersonation would persist once the SqlConnection was opened (and passed, ByRef back to the calling routine)

Thanks in advance for any advice.

A: 

Use Impersonation

John Sheehan  2009-03-27 16:34:02
A: 

Sounds like you want to impersonate the client who is accessing your web site correct? Have you tried to use impersonation or are you assuming it won't work?

Edit

As Albert points out, impersonation requires the user to be authenticated using Windows authentication. You will want to disable Anonymous Access, and enable Windows Authentication in IIS Management tool.

JoshBerke  2009-03-27 16:34:32
In what I've read so far in MSDN pages on Impersonation I haven't yet found an answer. I put a "<identity impersonate="true" />" into the web.config and the error now says that "(null)" user is not a trusted connection. Progress, but not a complete answer yet.
David  2009-03-27 16:46:53
That happens because you have allowed anonymous users. You have to allow only Windows Authentiacation in IIS config
Albert  2009-03-27 16:52:03
Eventually, I have to allow anonymous access because we have users not only in our local domain but coming in from a 'portal site' - unfortunately I don't know much about what information will be available to me from those user's contexts.
David  2009-03-27 17:12:36
In that case your only option is to configure application pool to run in the context of a domain account
Albert  2009-03-27 17:27:19
Your going have to get your red tape out
JoshBerke  2009-03-27 17:30:41
For some reason, disabling anonymous access worked and the website now comes up - when I'm running it in VS2008. If I go into a browser and say https://mypc/mysite - I get refused with a 403 error (since anonymous is turned off)
David  2009-03-27 18:12:12
+1  A: 

You have two options:

  1. Run your web application in an application pool configured to run in the context of a domain account
  2. Use impersonation and configure your web application to use windows authentication only
Albert  2009-03-27 16:37:49
#1 isn't an option. #2 is a mystery so far and I'm hoping the answer is in Impersonation somewhere.
David  2009-03-27 16:44:56
Why number one is not an option? Based on your description it is the best option.
Albert  2009-03-27 16:47:29
I'm at a DoD installation and do not have the credentials nor the red tape supply to go the application pool route.
David  2009-03-27 16:53:53
There's nothing wrong (security wise) to run your application pool in the context of a domain account. You just have to make a single change to IIS
Albert  2009-03-27 17:02:16
A: 

As has already been suggested you should use impersonation.

However if your SQL Server is running on a different machine than your web server then impersonation will not suffice as the credentials of the user will not be delegated to the SQL Server (server hop). In that case you will have to either enable delegation in the AD or create a non-Windows login on your SQL Server and use that instead (this will not work if your SQL Server actually uses the Windows login for access control to tables etc.).

Jakob Christensen  2009-03-27 16:47:37
This is *exactly* the problem. The web server, even in production, will always be different from the SQL server. But creating SQL Server logins introduces security concerns - as in where/how to store the username/passowrd to stick in the connection string?
David  2009-03-27 16:53:06
There are ways to secure the credentials in connection strings (http://msdn.microsoft.com/en-us/library/dx0f3cf2.aspx) but I'm not sure if that's your best option.
Albert  2009-03-27 17:00:27
Allowing delegation on some accounts also poses a security problem. I am not sure what is the best solution but encrypting parts of the web.config file is certainly the easiest.
Jakob Christensen  2009-03-27 17:56:55

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?