General information
Forum:
Microsoft SQL Server
Hi Keith,
We are using ASP rather than ASP.Net - is your reply still relevant?
>
>There's really no problem using a domain account to run a web service. As long as it is a single domain account and the permissions for the domain account are well managed, it is no different than a local machine account.
>
>If you are not planning to impersonate NT credentials in ASP.NET, there will be no problems. In fact, this is the method that Microsoft envisioned for IIS, ASP.NET, Web Services and SQL Server working together. In essence, the security model is moved from SQL Server to ASP.NET.
>
>Add Code Access Security into the mix, and permissions to execute functions and methods can be declarative within the code using roles (similar to granting execute rights to a stored procedure). You can still dynamically control permissions for individual users if you structure the role declarations correctly. Each function/method would have it's own role "namespace.myfunction_execute". The roles can be grouped together into application level roles and assigned to users or groups.
>
>However, if you aren't going to use roles and instead want to impersonate NT credentials through ASP.NET - and you have a 3+ server implementation (IIS/ASP.NET, middle-tier, SQL Server), there is a gotcha. You cannot impersonate NT credentials over two hops. You can impersonate from IIS to the middle-tier, but not from IIS all the way to SQL Server. This can be a problem if you want to log transactions at the database level.
>
>- Keith
>
>
>>Hi,
>>
>>We are changing our web application to use Windows Authentication instead of SQL Server Authentication.
>>
>>Initially, we added the IUSR_MACHINENAME user to SQL Server. This works ok when SQL Server and IIS are both running on the same server.
>>
>>However, this won't work if SQL Server and IIS are on different servers on the same domain.
>>
>>After doing a lot of research on the internet, it seemed that the answer was to create a user on the domain and use that user in IIS as the anonymous user (and give that user the relevant rights on SQL Server).
>>
>>However, I've seen other comments in articles on the internet saying "Running any web service as a domain user is ill-advised".
>>
>>We are using ASP rather than ASP.NET. What is the correct (and most secure) way to go about this?
>>
>>Best
>>
>>Matt.
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only
