Last post Jul 21, 2017 08:01 AM by carlakawill
Jul 20, 2017 02:12 PM|carlakawill|LINK
I am using the ASP.Net forms authentication method for authenticating users and have installed the SQL package on my SQL server database. While developing my application the connection string has been using Integrated Security which allows me access as my
user account has access. However when anonymous users try to login to the site they wont have access to the database to verify their login credentials.
What is the standard practice for configuring the connection to the database? If i deploy my site to IIS and run the app when logging in i get an error because the machine account it uses to run it doesn't have access. Do people create a new account to run
the app and give it access the SQL server DB or do i create a SQL user on the server and hard code the credentials in the web.config file? the latter seems unsafe as the credentials would potentially accessible.
Jul 20, 2017 06:17 PM|PatriceSc|LINK
I'am always wary with so called "standard" practices. Ultimately it is most often a trade off based on your own considerations.
AFAIK it's quite common to create a custom identity for your application pool and to grant access to this identity.
You could also grant access to the machine account. The drawback is that all apps hosted on this web server have potential access to your db but for example you could have a dedicated web server for this particular application or for your own internal applications
If using web.config credentials you can also encrypt the relevant section...
Jul 21, 2017 08:01 AM|carlakawill|LINK
Thanks for your insight. I think creating a custom identity will be the way forward for my situation. No credentials held in plain text or a need to encrypt. Plus i already need to give the application access to the DB once the users are authenticated so
this custom identity will work and feel more secure.