I'm want to create a SQl Server login for a IIS web application. Since the Web Application using IIS 7.5 identity, and in addition in production the Sql Server may be in a separate machine, I'm looking for use a user and password based connection string.
Now, I'm a little confused how to create this login in Sql Server 2008 R2. Should I use databawse specific User, or a global login? Should I Database Role or Application Role?
What are the best practices to get a login for an IIS application that don't use Stored Procedures, but makes a use of an ORM tool, like NHibernate?
The following article:
http://msdn.microsoft.com/en-us/library/bb882673.aspx
recommends using Integrated Security to connect to the database.
Related
I am currently working on a project to help configure an application in GCP, been working mostly in Azure and I am a bit confused with users and rights in Cloud SQL for SQL Server. It seems that SA is not permitted and I can understand that but in their documentation it states:
You can create other SQL Server users or roles. All Users you create using Cloud SQL are granted the same database permissions as the sqlserver login. if you use a different method the user wont have the same permissions as the customer admin accounts.
My questions.
Create with cloud sql means i have to use the console to create those users and not thru TSQL inside say SQL Server Management Studio that connects to SQL Server?
If i create a login will I then be able to add that login as a user to the database?
thank you.
I have a website that is backed by a database. I requested a SQL Server login with read/write/execute privileges to be created in our Production environment, and our DBA indicated that a non-interactive service account would be preferred.
Are there any potential issues with using a service account in this manner over a SQL Server login?
According to Microsoft, it is a "best practice" to use a service account (i.e. Windows account) and use SQL logins only for legacy applications that are not able to use Windows accounts (see Microsoft Recommendation).
So, only if your website is based on a non Microsoft technology or not hosted by IIS an SQL login might be the better choice.
At my current employer's we've been using non interactive Windows accounts to connect from our ASP.NET applications to SQL server all the time without any problems. It also makes managing and deploying connection strings easier because you don't have to care about securing them.
If you have an ASP.NET application it's good to add the account under which the IIS app pool runs (or a domain group it's in) as a login on the SQL Server.
However an SQL login might also have the practical advantage to be easier to test with: E.g. you can connect to the server using this account with SQL Management Studio to check if the permissions are sufficient.
I have an Asp.Net MVC 3 website that uses asp.net membership services for authentication. The membership database has been running on Sql Server Express 2008 and I am attempting to convert it to Sql Sever Compact 4.0.
Following the instructions here I have created the Sql Server Compact 4.0 database. I used the code from here to switch the membership provider in the MVC app.
Using the new provider and database I am able to successfully create new users and log in using the new user's password. However, I am not able to login to any of the users that previously existed in the Sql Server Express database. I am able to browse the new database and have verified that the users are all there, so I believe the problem is somehow related to not being able to successfully access the encrypted passwords that had been previously created. I really don't want to have all of the existing users change their passwords. Can anyone shed some light as to how I can make this happen?
Is it possible it has something to do with the ApplicationName property in the web.config file?
See this blog post from ScottGu for more information:
Always set the "applicationName" property when configuring ASP.NET 2.0 Membership and other Providers
I am trying to use IIS 7.5 Application Pool identity as login on SQL Server 2008 R2 so that my ASP.NET web app can connect to the database...
Using this approach worked fine on my local dev machine (IIS 7.5 and SQL Server 2008 R2 on same machine).
However, when I try to set up the same on production (IIS and SQL servers are separate) I am unable to add "IIS APPPOOL\MyAppAppPool" login to SQL Server 2008 R2.
Notice that in either case you cannot use "Browse..." when creating a login in SQL Server since "IIS APPPOOL\MyAppAppPool" user identity is dynamic (or "special")...
Any ideas?
Update:
For more info on Application Pool Identities see here.
From article:
Whenever a new Application Pool is
created, the IIS management process
creates a security identifier (SID)
that represents the name of the
Application Pool itself. For example,
if you create an Application Pool with
the name "MyNewAppPool," a security
identifier with the name
"MyNewAppPool" is created in the
Windows Security system. From this
point on, resources can be secured by
using this identity. However, the
identity is not a real user account;
it will not show up as a user in the
Windows User Management Console.
That articles states (under "Accessing the Network") you still use the <domainname>\<machinename>$ aka machine account in the domain.
So if both servers are in "foobar" domain, and the web box is "bicycle", the login used to the SQL Server Instance is foobar\bicycle$
If you aren't in a domain, then there is no common directory to authenticate against. Use a SQL login with username and password for simplicity
Edit, after comment
If the domains are trusted then you can use the machien account still (use domain local groups for SQL Server, into which add a global groups etc)
As for using app pool identities, they are local to your web server only as per article. They have no meaning to SQL Server. If you need to differentiate sites, then use proper domain accounts for the App Pools.
You can't have it both ways...
To cut a long story short: As part of an online database access system I'm writing I want to use the new BLOB access features in SQL 2008 - this means I have to use Windows Authentication when logging into the SQL Server; however due to it's very nature the website front end to all this uses Forms authentication with the membership data stored on that SQL server.
How do I get the web application to impersonate a user account so it can connect to the SQL server, i.e. I don't want to use the account of a user logged into the website. (Not that you could do this as the membership details are stored on the SQL server)
The webserver and the SQL server are on different machines on the same network, there is a user account set up just for the web application to use.
The connection string should look something like:
< add name="MyConnectionString" connectionString="Data Source=THESQLSERVER;Initial Catalog=TheDatabase;Persist Security Info=True; Integrated Security=True;Application Name=CRM.Sales" providerName=""/>
Where you use Integrated Security. Then your application pool should use an identity that has access to your sql server.
You would grant rights to that identity.