The conventional wisdom says using your Windows user to login to SQL Server is more secure than using a SQL Server user to login. But isn't the authentication nearly identical?
When you login to SQL server with a database user, a login packet is created with the password encrypted. A certificate is attached to the packet and sent to the database. When the certificate is authenticated, the hashed password is matched to the hashed password stored in the database. If they match, you are logged in.
When you login to SQL server with a Windows user, MSGINA creates a login packet, but I'm not sure if or how it's encrypted. A certificate is attached and the packet is sent to LSA. When the certificate is authenticated, how are the credentials verified?
To make this question fair, assume the certificate service is the same, as well as the method to create the password hash. In this scenario, the two methods seem equally vulnerable to a man-in-the-middle type of attack intercepting the login packet.
Depends how you define "secure". There's more to security than the cryptographic details of the authentication mechanism. For example:
With SQL Server auth, accounts/passwords are under the control of the DBAs. With Windows auth (to a domain) they're under the control of the domain admins.
Security policy (e.g. password strength, password aging, password length, permitted login locations/times, disabling accounts) is readily administered (e.g. via group policy) and audited when using domain authentication.
Domain authentication can use multiple factors (e.g. security tokens), whereas SQL Server authentication (AFAIK) can't.
MITM vulns in AD authentication (and more broadly Kerberos in general) would be big news.
Windows login is very secure - assuming Active Directory, you're sending a hash to AD to authenticate you which returns the ticket that is subsequently used to login to SQLServer.
However, this only applies to AD, local users use NTLM which is pretty old and is easily crackable by today's standards.
Windows logins are used to secure pretty much everything, including the user services like SQLServer runs as, so if its not the most secure then you have more worries than user login to your DB.
The question is how you store the password and login information.
When you use Windows-login you can rely on authentication by your active directory server or simply the windows machine, while when login with SQL Server credentials you will need to have the password somewhere in a form that you'll need to encrypt it in order to add it to the connection string.
This might be fine if the application is on the server, but more complicated when it is a rich client which is accessing the server directly. If you have such a scenario in a company, it is better to let active directory deal with the authentication.
In general it is also easier to administrate when you have the same active directory use everywhere.
Related
When a user logs in to a SSO (Single Sign on) application, IIS makes a request to LDAP (Lightweight Directory Access Protocol) to get some user information for authentication. I am trying to find where the communication between LDAP and IIS happens (I am assuming that IIS sends a request to LDAP in order to get some user information). I have looked in the IIS Manager in windows and could not find the communication between IIS and LDAP. Does anyone know where I would be able to find the communication between LDAP and IIS?
If you're talking about Windows Authentication, then no, IIS doesn't use LDAP. It will use either Kerberos (preferably) or NTLM.
The mechanism is different for each, but basically, the user is already logged in on the client computer and sends their already-existing ticket to the server. The server just verifies the ticket with the domain controller. This means that the server must be joined to the same domain (or a trusted domain) as the user logging in.
For seamless SSO (where the user does not need to type in their username/password), the user must be logged into the client computer with the credentials they want to use on the website. If not, they will be prompted for credentials and the actual logging in will happen from the server.
If you cannot use Windows Authentication because the server is not joined to the same (or trusted) domain as the user, then you would have to implement LDAP authentication yourself. You would use Forms Authentication, ask for the user's username and password, and validate the credentials like this for example.
To express myself better i start by example.
In my client server application there is a users table.
Each user is mapped to a sql server user.
The database is full of tables, anyway each user can query just 1 table.
The table contains the following information:
the version of the database (so the client app can check whether the database version matches with the client version)
the db admin login name (tipically "sa")
the db admin password (this is encrypted with custom algorithm for security - please note i install a dedicated Sql Server Instance for my applciation)
I make sure each user can query just a table by executing for each user:
GRANT SELECT ON ConnectionTable TO LoginName
So the full flow is:
1) the user inserts username/password
2) the client application retrieves all the info from ConnectionTable
3) the client applicaion decrytpts the sa password
4) the client application logs in as sa so all tables are visible and editable
Now this is what i have (legacy) and I cannot change it.
Somehow this "custom login trick" has been done to avoid to write somewhere on the client the sa password, many client server software i know in fact all use sa to connect and user/password are just two fields of a simple USERS table, but the real connection string is somehow (with a certain degree of security) saved on a file in each client; in my case the "connection string" is stored in the database so as a user logs in to the database (even if with a user that has a restricted access) he gets all he needs to succesfully login.
Since i install Sql Server in mixed mode i support also Windows AUthentication.
So at login the user has a switch to choose between SQl Server and Windows Authentication, as it happens when connecting to SS Management Studio.
What i am trying to achieve now is to login as another user.
I would like that the user checks "Windows Authentication" but he/she can still type the username and the password.
My application is written in Delphi using the SDAC components. As far as i understand SDAC does not allow to perform what i need to do, but i could change only the login part using anothe DAC (Firedac for example). My goal is to login as another windows user.
The final goal is to query ConnectionTable so that i can retrieve the encrypted sa password and login.
So my question is:
is it possible (in Delphi Seattle VCL Application) to login to a Sql Server database by setting a windos user different than the current logged in user?
UPDATE:
To better explain my need i describe the real scenario that generates my requirement.
I created a web applciation (using VCL for the web) that uses the same authentication method as my client server application does.
Imagine my user is MyDomain\MyUser, when I am in LAN i will use Windows authentication to login, but when I login let's say from my Android Phone I would like to login as MyDomain\MyUser by providing password. This is the case, in fact i do not need to impersonate other users, i just want to login with my user when i am not logged in on a Windows pc in a LAN.
So somohow at the login screen of my application i would like to choose Auth: Win/SQL and in case Win is chosen, i would like to pass the actual username and password to login.
I hope this clarifies more the scenario.
Moreover i also host my application in the cloud and in this case all users are WIndows authentication users of a domain that i created for administratrive purposes, and each user needs to provide username and password to login.
My request comes from the fact that I always supposd that Winows Authentication = LDAP and therefore in LDAP it is possible to specify user and password, while in sql server it looks somehow user is pre-defined (and = to the logged in user) in case of Windows authentication.
I am currently new to managing databases hence the question. From my lecture notes, it states that
A user logs into the network, Windows or otherwise.
The user opens a nontrusted connection to SQL Server using a username and password other than those used to gain network access. It’s called a nontrusted connection because SQL Server doesn’t trust the operating system to verify the user’s password.
SQL Server matches the username and password entered by the user to an entry in the sys.syslogins table.
My question is that how does the user open a nontrusted connection to SQL? I'm confused. What does it mean by SQL Server doesn’t trust the operating system to verify the user’s password.
Trusted connection is a legacy term and really a misnomer mostly because of how developers think of apps connecting to a database rather than how a database actually handles connection requests. SQL Server doesn't actually trusts connections. It trusts a 3rd party that you designated to authenticate a user and present the appropriate token it will then use for authorization. Just so happens Windows is the only 3rd party you can tell it to trust but it doesn't have to be.
Important things to distinguish in the process are authentication and authorization. Both SQL Server and Windows can authenticate a login attempt but only SQL Server can authorize access to objects/data. They are distinct though related parts.
When you connect using integrated authN, your security token is passed to SQL Server which then does basic checks for login mapping to establish connection. If successful, it goes on to do what it needs to for authZ(e.g. database context switch, authorization, etc...). It only cares that you have a valid token from a trusted source. In this case, it's Windows (simplifying the AD, Kerberos, etc... processes behind this). It doesn't further authenticate, it trusts that Windows has done the right checks already. Note that it doesn't have to be a network or domain user. Even local users can be setup for integrated authN but that's generally not a good idea.
If you connect with SQL Server credentials, after the pre-login handshake, your credentials are then passed to SQL Server for authorization where it'll check for login, compare password hash, policies (if any), etc... Essentially, the user authentication checks that Windows would have done when you login to a host but the security scope is SQL Server only. Until this authN is done, you are not logged in. These steps occur because the connection attempt is made with un-validated credentials rather than a secure token issued by a trusted party. Once it successfully completes authN then it goes down the same code path as before for authZ.
Scenario: In an intranet application, ADFS uses AD for authentication(Account Store) and Sql server for authorization(roles/Attribute Store).
The roles are my own application specific. There are other applications that need to use ADFS. If ADFS is configured to use my SQL Server to fetch roles, what would other applications do? How will they manage their authorization?
Is my understanding correct? If yes, please verify my answer:
Ans: ADFS just returns me the AD identifier(SID/Name).I map this to my sql server roles. Role management should be done by my own application connecting to Sql server. Use session to prevent hitting DB for authorization every time.
To avoid hitting the SQL server for every authorization check, you could implement claims based authentication. Use the SQL attribute store to add your role claims to the AD user ID claims. The resulting claims ticket (SAML) is sent as a cookie and isn't fetched on every authentication check as it is kept as a cookie by the user browser available to the server on each and every request. The timeout/refresh can be set by ajusting the claims ticket TTL (time to live).Just a suggestion... =o)
We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb).
On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website.
There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account.
We also set up the SPNs for the SrvWeb_iis account via the following command:
setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
The website pulls up, but the section of the website that makes the call to the database returns the message:
Cannot execute database query.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas or articles that cover this setup in detail would be extremely appreciated!
If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.
There are several possible reasons for kerberos failures which includes lack of SPN and duplicate SPN as well.
If SQL is running under custom account you would need to add SPN for SQL as well.
Also keep in mind, you should be adding SPN for the FQDN which is the host (A) entry in DNS and not a CNAME.
Check the value of NTAuthenticationProviders
http://support.microsoft.com/kb/215383
Try DelegConfig which would show what is missing if its SPN or something else.
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887