Last post Jan 06, 2016 01:45 AM by jubbabo
Jan 05, 2016 08:09 AM|BigHead80|LINK
Hello everyone! I am totally a newbie in this forum.
Background of my ASP.NET environment:
IIS 7.5 on Windows 2008R2 Web Server
MS SQL Server 2008R2 on Windows 2008R2 Enterprise Server
I have just developed a ASP.NET application using .NET 4.5 framework and would like to use my existing domain account to connect with the SQL Server. However, I would like to use normal account (which should be something like web$ account) to connect with
IIS. Is that possible? I have read the recommendations from the web saying I have to use "Impersonation" feature in the web.config. I don't really like to grant my domain account access right in the IIS with a couple of folders custom access right.
My question is, is it possible for me to connect to the SQL Server using domain account while using normal account to access IIS? It seems to me the impersonation feature will use that domain account to access the IIS and it creates more work for me to grant
access right in IIS.
I hope you guys can drop me a line if you would like to share with me your precious experience regarding this. And, I am more than willing to explain a little bit more if you don't get my idea. :P
Jan 05, 2016 11:10 AM|ignatandrei|LINK
put the App Pool for your site to run under an domain account that have rights to SqlServer
Jan 06, 2016 01:45 AM|jubbabo|LINK
For me, I change that IIS application pool user (to run the site) identity from 'ApplicationPoolIdentity' to the specific domain user, with LoadUserProfile to true.
This is used to explicitly grant file folder access right only.
For SQL DB connection, I use specific sql user credential and assign specific DB role & DB access right to that sql user. Use this sql user credential in connection string of ASP.NET application web.config/app.config.
For your case, if you want to maintain user control in one place, simply assign your domain user to this IIS application pool user and grant sql access right to this domain user.
My config is a bit more work, but it's more manageable as SQL has its own credential to access and do things to DB only, while website can run by itself with some explicit user having specific directory right access grant.