I have two apps that use Integrated Security. One assigns Integrated Security = true in the connection string, and the other sets Integrated Security = SSPI.
What is the difference between SSPI and true in the context of Integrated Security?
According to Microsoft they are the same thing.
When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.
Integrated Security=true; doesn't work in all SQL providers, it throws an exception when used with the OleDb provider.
So basically Integrated Security=SSPI; is preferred since works with both SQLClient & OleDB provider.
Here's the full set of syntaxes according to MSDN - Connection String Syntax (ADO.NET)
Using Windows Authentication
To connect to the database server is recommended to use Windows Authentication, commonly known as integrated security. To specify the Windows authentication, you can use any of the following two key-value pairs with the data provider. NET Framework for SQL Server:
Integrated Security = true;
Integrated Security = SSPI;
However, only the second works with the data provider .NET Framework OleDb. If you set Integrated Security = true for ConnectionString an exception is thrown.
To specify the Windows authentication in the data provider. NET Framework for ODBC, you should use the following key-value pair.
Trusted_Connection = yes;
Source: MSDN: Working with Connection Strings
Many questions get answers if we use .Net Reflector to see the actual code of SqlConnection :)
true and sspi are the same:
internal class DbConnectionOptions
...
internal bool ConvertValueToIntegratedSecurityInternal(string stringValue)
{
if ((CompareInsensitiveInvariant(stringValue, "sspi") || CompareInsensitiveInvariant(stringValue, "true")) || CompareInsensitiveInvariant(stringValue, "yes"))
{
return true;
}
}
...
EDIT 20.02.2018
Now in .Net Core we can see its open source on github!
Search for ConvertValueToIntegratedSecurityInternal method:
https://github.com/dotnet/corefx/blob/fdbb160aeb0fad168b3603dbdd971d568151a0c8/src/System.Data.SqlClient/src/System/Data/Common/DbConnectionOptions.cs
Integrated Security = False : User ID and Password are specified in the connection.
Integrated Security = true : the current Windows account credentials are used for authentication.
Integrated Security = SSPI : this is equivalant to true.
We can avoid the username and password attributes from the connection string and use the Integrated Security
Let me start with Integrated Security = false
false User ID and Password are specified in the connection string.
true Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and SSPI.
If User ID and Password are specified and Integrated Security is set to true, then User ID and Password will be ignored and Integrated Security will be used
Note that connection strings are specific to what and how you are connecting to data. These are connecting to the same database but the first is using .NET Framework Data Provider for SQL Server. Integrated Security=True will not work for OleDb.
Data Source=.;Initial Catalog=aspnetdb;Integrated Security=True
Provider=SQLOLEDB;Data Source=.;Integrated Security=SSPI;Initial Catalog=aspnetdb
When in doubt use the Visual Studio Server Explorer Data Connections.
What is sspi?
Connection Strings Syntax
True is only valid if you're using the .NET SqlClient library. It isn't valid when using OLEDB.
Where SSPI is bvaid in both either you are using .net SqlClient library or OLEDB.
In my point of view,
If you dont use Integrated security=SSPI,then you need to hardcode the username and password in the connection string which means "relatively insecure" why because, all the employees have the access even ex-employee could use the information maliciously.
Related
I have a database on which I have very limited access. I need to get some data from a VIEW from a database. I have a generic Windows account and I can only login if I Shift+Click on Sql Server Studio and open as different user and use the default Windows Authentication(No Sql Server Authentication Works). I created some DNSs but I can only login with the default Windows NT authentication and SQL Server. The problem is, when I use the Windows NT I get the error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user
'DOMAIN\SERVERNAME'. ERROR [28000]
My Code:
try
{
OdbcConnection cn;
OdbcCommand cmd;
string MyString;
MyString = "Select * from users";
cn = new OdbcConnection("dsn=DB77;UID=****;PWD=****;");
cmd = new OdbcCommand(MyString, cn);
cn.Open();
cn.Close();
}
catch(Exception e)
{
return e.ToString();
}
I want to use a Windows Authentication to get data from the db. Is it something wrong in Code, ODBC Data Source Admin, IIS?
I personally use NHibernate with MVC. Originally I picked it up because our database doesn't support EF but enjoy it enough that even if we moved to SQL Server I'd keep NHibernate.
The learning curve is kinda weird. It is definitely steep to become an expert, but it is interesting in that it is pretty organic to let it handle more and more of the work for you as you get comfortable with certain layers.
So for your case NHibernate probably supports your database, can be used as a simple data access layer (just returning DTOs), provides a database agnostic interface and can support SQL Server when the time comes. If you end up wanting more out of NHibernate it is there when the time comes.
nHibernate doesn't have anything to do with Windows Authentication. SQL server will use your process identity to authenticate
if configured to use windows authentication. What that means is that if your application is a web app, you'll need to ensure that your
application runs under the windows identity that can be authenticated by SQL Server.
And it's not possible to provide windows credentials via database connection string, unfortunately.
Example of connection string when using windows authentication:
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
Impersonation:
http://msdn.microsoft.com/en-us/library/xh507fc5.aspx
I'm implementing Windows Authentication feature with SQL Server, for my project and faced this strange problem.
In the connection string, I have added a new parameter Trusted_Connection and if we have to enable the Windows authentication feature I'm setting it as yes otherwise setting it explicitly no. Even it should be by default no.
The feature was working fine until I tried passing an empty username and password in the connection string:
Driver={SQL Server};Server=localhost;Database=test;UID=;PWD=;Trusted_Connection=no
Strangely, this established a connection with the database and it seems to use the Windows user authentication. Tested by running from some other user who doesn't have required permissions and it failed.
The API used to connect to the SQL Server is:
SQLDriverConnect(
hDbc,
NULL,
ConnStr,
SQL_NTS,
NULL,
0,
NULL,
SQL_DRIVER_COMPLETE
);
Is this expected behaviour of this API? If so, is there any link where I could get this info?
Thanks in advance.
The "SQL Server" ODBC driver that ships with Windows is a legacy driver provided only for backwards compatibility. It interprets an empty UID as a request for Windows authentication regardless of the Trusted_Connection specification. The modern drivers (SQL Server Native Client and ODBC Driver n for SQL Server) honor the Trusted_Connection specification.
Thus using a "ODBC Driver 11 for SQL Server" solved my problem.
I am using jTDS driver to connect to a SQL Server database. I don't want to provide my Windows Domain username and password but would like to make use of Trusted_connection property in my connection string. However it seems as per this jTDS driver FAQ page there is no property named Trusted_connection supported by jTDS driver.
Given the application and SQL Server database are on the same host and I have ntlmauth.dll installed correctly, how do I take advantage of Trusted_connection property so that I don't have to specify username/password?
Is it that jTDS automatically makes use of Domain username and password as soon as it spots useNTLMv2 and domain properties being used as shown in the following connection url?
jdbc:jtds:sqlserver://DBHostName:Port/DatabaseName;useNTLMv2=true;domain=DomainName
NB: I could test this myself if only I have access to the code of the application.
As described in the file README.SSO, you need not specify any credentials.
In order to set up the jTDS driver to use Windows Single Sign On, users
will have to connect without providing a user name and password. This will
only work on Windows.
Driver example:
// No user name or password in URL or as parameters
DriverManager.getConnection(
"jdbc:jtds:sqlserver://localhost:1433/LionKing");
You need not specify the useNTLMv2 parameter either, if you do it determines the version of NTLM that will be used, not IF NTLM will be used or not.
My knowledge on OLEDB is minimal at best.
Is there a way to build a connection string to use a trusted Windows authentication rather than using User ID and Password?
Yes.
Here's an example for SQL Server 2008.
Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase; Trusted_Connection=yes;
If your database is something other than SQL Server 2008 (and the odds are probably pretty good that it's not), you can get just about any Connection String example from this site: http://www.connectionstrings.com/
or here http://www.carlprothman.net/Default.aspx?tabid=81
Since you didn't state what language you would be using the OLEDB call through I just posted some basic C# to do the trick.
using System.Data.OleDb;
OleDbConnection conn = new OleDbConnection();
conn.ConnectionString =
"Driver=SQLOLEDB;" +
"Data Source=ServerName;" +
"Initial Catalog=DataBaseName;" +
"Integrated Security=SSPI;";
conn.Open();
As MSDN states in the How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0 article,
The connection string used with Windows authentication must include either the Trusted_Connection=Yes attribute, or the equivalent attribute Integrated Security=SSPI, as shown here.
So instead of User Id=...; and Password=...; you should include one of the options below in your connection string,
Trusted_Connection=Yes
Integrated Security=SSPI
I have always thought that in order to connect to SQL server using windows authentication with explicitly specified credentials, you must LogonUser, Impersonate, then connect.
It seems to me that this link suggests that it's possible to connect to SQL server without all this hassle, simply by specifying "uid=...;pwd=..." in connection string. I tested this method just to be sure it doesn't work, and - lo and behold - it didn't. If that blog post wasn't on msdn.com, I would have just dismissed it as noob talk, but it is.
Does anyone have an idea what am I missing?
EDIT1: Many respondents misunderstood what I was referring to. Here's a copy/paste of what I was talking about. It's not integrated SQL, nor it's an ASP.NET impersonation made by IIS:
string sql4 = String.Format(
#"Data Source={0};Integrated Security=SSPI;uid=<uid>;pwd=<pid>", server);
// Database + Windows Authentication + Username/Password
There are two distinct kinds of security with SQL Server. "Windows Authentication", and "SQL Server Authentication". When you see uid and pwd you're seeing the latter. The uid in this case is not a Windows principal - the OS knows nothing about it.
So the answer to your question is, no, you can't pass Windows user name and password in the connection string to log in to SQL Server.
It depends - if you connect from a command-line or Winforms app DIRECTLY to your SQL Server, you EITHER specify "Integrated Security=SSPI;" and then use your Windows credentials as logon credentials, OR you specify "user id=....;pwd=....." - but that's then a SQL logon - NOT your Windows logon.
You mention "impersonate and then connect" - that seems to indicate ASP.NET - that's a totally different story again. If you impersonate, then you're basically using your Windows credentials, e.g. the web server will "impersonate" you and log on as you (using your Windows credentials). In that case, again, no "uid=....;pwd=....." needs to be specified (if it is, it will be ignored).
As that link you mentioned clearly shows - if you can connect directly, and you specify "Integrated Security=SSPI;", then this takes precedence over any uid=...;pwd=.... which you might also specified and logs you in using your Windows credentials; those extra uid=...;pwd=.... pieces are ignored.
Marc
The article and point in question relates to SQL security, not integrated security. You can pass the credentials for a SQL user and log in in this manner if SQL authentication (mixed mode) is enabled. If the SQL server is set up to use integrated security only then this will not work. It will also not work to allow logging in using Windows logon credentials.
In our shop, we routinely use connection strings like you describe. No problemo. But your sql server database must be set up to use sql security, not windows authentication.
A sample connection string (from web.config) in our app looks like:
<connectionStrings>
<add name="ConfigurationData" connectionString="server=DevServer;
database=travel_expense_management_dv;uid=userid;pwd=password!;"
providerName="System.Data.SqlClient" />
</connectionStrings>
On the other hand, the DBA guru for our shop set me up a personal database on the main server that had integrated security with my Windows logon. I didn't need uid and pwd because it took my authentication info from context.
Yes, as you say, the article mentions this:
string sql4 = String.Format(#"Data Source={0};Integrated Security=SSPI;uid=<uid>;pwd=<pid>", server); // Database + Windows Authentication + Username/Password
But if you carefully read few lines later, it says this:
string sql4 -> Logs in with Windows login, ie. takes precedence over the username/password.
:)
This is very old but maybe someone has the same issue.
You can connect using WindowsAuthentication and specifying user id and password on your connection string, but not on every device. You can achieve this for example on WinCE devices (https://technet.microsoft.com/en-us/library/aa275613(v=sql.80).aspx).
I don't know if you can do the same thing on other OS just with the connection string (without doing the impersonation thing).
Hope it helps.
just a contribution also for some who was still encountering problem like this. Based on my experience if you don't specify any user/password in you connectivity it will automatically connect to db using windows authentication. Meaning it will get the userid and it's credential of the user who logged on to the machine. The system will allow you to connect to database if it identifies that your userid exist/created in the database. But once you specify your userid and password in your connectivity it bypass the windows authentication and use sql server authentication instead.