For my asp.net website with forms authentication, I will use Windows integrated security to access a sql database. I will give DB permissions to the ASPNET or NETWORK SERVICE. Under what circumstances would I use SQL authentication instead?
+3
A:
Use SQL Auth when you need non-Windows machines to make a DB connection.
Keep in mind that it adds another attack vector (another set of credentials to compromise the machine), so make sure you really need it before using it.
Corbin March
2009-02-05 18:50:54
Actually that's not totally correct, you can use Windows Authentication if you are crossing domains, it just takes a little extra setup.
Kevin
2009-02-05 19:07:44
You're right. Thanks.
Corbin March
2009-02-05 19:22:56
+4
A:
SQL authentication is also often required when your site is being hosted by an external ISP. They often do not support windows authentication or do not allow you the ability to grant permissions to windows accounts.
AdamRalph
2009-02-05 18:52:07
if its a windows hosted website that accesses the database that wouldnt matter correct?
zsharp
2009-02-05 22:48:39
That alone is not enough. The ISP would also have to allow Windows authentication against the database and in many cases they don't do this, which means you still have to use SQL authentication even if your website is hosted on Windows.
AdamRalph
2009-02-06 12:12:54
+2
A:
If you want to completely manage user accounts, you should use SQL Authentication. This way, you have complete control over user accounts. You could force them to enter private information for example.
Also, like Corbin mentioned, if clients are not running windows OS, you cannot use Windows Authentication (obviously).
Jon
2009-02-05 18:54:23
+3
A:
Really you use SQL Authentication when you can't use Windows Authentication. In my opinion that is about the only time. Windows authentication is more secure and can be centrally managed in places which use Active Directory. If you have people who really know how to adminstrate Active Directory and you're in a windows environment, there isn't a good reason to use sql authentication.
With Sql Authentication you have to manage the passwords etc in connection strings and that means that in order to change the account accessing the database, someone has to know how the application functions or at least where the information is stored. With Windows Authentication, all the network admin has to do is enter in the correct username and password into the IIS application settings and you're ready to rock and roll. No developer interaction required.
You have extra steps in securing the connection string information as passwords etc. should be encrypted when stored in the config files. All around there are a lot more steps in invovled in efficiently and securely using Sql Server authentication as opposed to Windows Authentication. This is espcially true if the same sql server credentials are used to access multiple databases across multiple servers.
Kevin
2009-02-05 19:06:54
I agree 99% with this post, but think there is one other situation where SQL authentication makes sense. With high traffic sites, a single SQL application login uses more efficient connection pooling. However, as noted, it is generally less secure.
JohnFx
2009-02-05 19:53:11
yes, but i am pretty sure you can use connection pool with a windows authenticated account if you are using the asp.net worker process account and not the individual authenticated user.
Kevin
2009-02-05 20:01:18
+1
A:
Please be reminded that Windows Authentication is the recommended mode of authentication for the simple reason that it inherits the OS authentication. There are many factors that you may not use Windows Authentication as explained above.
MarlonRibunal
2009-02-05 19:07:36
+1
A:
That depends. If you are developing a in house web app and the network IT people are down the hall then use Windows authentication. If you are deploying your app to customers and you have no control of their network infrastructure then I would use SQL authentication
Ron Skufca
2009-02-05 19:41:54
+1
A:
If you don't have control over the Active Directory (Like in a hosted situation) or there are users with operating systems other than Windows, you don't have a choice.
Is there a need to create user accounts on the fly with some script? It has to be easier to do for a sql user than the Active Directory (Probably not impossible).
Jeff O
2009-02-06 04:18:43
+1
A:
Besides all of the above, consider a case like this:
The account you need to use is from Domain A. The database is on Domain B. Domain A and Domain B dont have a trust relationship.
You will need SQL authentication to get past this situation. Hope this helps.
(To add more clarity): The database is NOT registered with the active directory. Then it is not posisble to use windows authentication.
Critical Skill
2009-02-06 04:29:11
A:
what if i do not have any domain server and all my machines are on workgroup , still i can use windows authentication? or i need to switch to sql authentication ?
DEE
2009-10-15 06:11:48