ralph
 |
| 01/26/2002 7:12 PM |
 Quote
 Reply
 Alert
|
| What are the benefits of integrated security (windows NT authentication) over the standard (SQL server authentication)? It seems like the standard security provides a username/password that is totally independent of the web server itself. Thanks! |
|
|
|
|
Chip Andrews
|
| 01/28/2002 3:56 PM |
Quote
Reply
Alert
|
| It does. However, that does not mean it is a better model - quite the contrary. The intrinsic SQL Server security model exists mostly for backward compatability as is lacking most of the qualities that make a strong authorization system. Integrating the security between the web server and the SQL Server allows you to keep secrets out of the connection string and does not cripple connection pooling as long as you don't switch user context on the web server (i.e. as long as you use anonymous authentication vs NTLM/Basic/Digest)
|
|
|
|
|
ralph
|
| 01/28/2002 4:42 PM |
Quote
Reply
Alert
|
| Suppose that the SQL server and IIS 5.0 web server are located on the same computer, then does it still matter if you use the standard security or the Windows integrated security? The web server is making connections to itself (eg, the SQL server) and the contents of the connection string can't be compromised, or can it?
Also, I've been trying to setup a SQL server database with Windows NT integrated authentication. I setup several dummy users "userA", "userB", and "userC" under a group called "DBusers". Using enterprise manager I created a new "testDB" database giving "database creation" privileges to the group "DBusers".
This appears to be okay, but I cannot figure out how to log into SQL server remotely now with Windows integrated authentication. I've been used to using the ODBC control panel to create system DSNs to the SQL server database (for standard security), but now I seem to be at a roadblock. Using the ODBC control panel I can create a system DSN to access the SQL server with "Windows NT authentication" but I can't find a place to enter the username and password for integrated security. Should I even be trying to create an ODBC connection for integrated security?
|
|
|
|
|
Chip Andrews
|
| 01/29/2002 10:47 AM |
Quote
Reply
Alert
|
| You should not be entering a username and password for Integrated security - that would defeat the purpose. You should simply include a command in your connection string that tells the Data Provider to use Integrated Security (i.e. Integrated Security=SSPI or Trusted_Connection=yes).
Try Howard, Levy, and Waymire. Designing Secure Web-Based Applications for Microsoft Windows 2000. Microsoft Press, 2000.
or
KB Q247931
KB Q229694 (The Whatif tool)
KB Q307002 |
|
|
|
|
Uday
|
| 04/29/2002 6:37 AM |
Quote
Reply
Alert
|
| I too tried the same, i.e., sql server and iis sitting on different machines. To access the sql server through IIS, I created IUSR_MachineName on sqlserver machine both on NT level and sql level. But it still does not work. IT gives me the error :
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection. |
|
|
|
|
whodgert
|
| 06/19/2002 5:54 PM |
Quote
Reply
Alert
|
| Change the sql server security to windows and sql logins. It defaults to windows only
|
|
|
|
|