Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
ASPNET user password
Message
General information
Forum:
ASP.NET
Category:
Other
Title:
Re: ASPNET user password
Miscellaneous
Thread ID:
00845202
Message ID:
00845326
Views:
14
>However, when I impersonate, I still need to expose the password in the web.config file ( just as I was previously exposing the db password in my web.config ).

If you use Integrated Authentication you don't need to provide anything to SQL Server - it will grab it from the currently active account which will be the impersonated account.

Another option is to allow ASPNET access to your SQL Database. To do this simply add ASPNET as a user of the database and then add the user to your database. This is a potential security risk (but only if your machine is compromised already anyway)... then again so is Impersonation - even more so because with Impersonation you're giving extended rights to the Web user, whereas with adding ASPNET you're only allowing access to this specific resource (SQL).

+++ Rick ---


>
>So, what gives? One of the reasons cited in the article I read about windows authentication ( I think i read it in the recent security issue of MSDN Mag ) being so great is that you didn't have to deal with the password.
>
>Feedback anyone?
>
>Dave
+++ Rick ---

West Wind Technologies
Maui, Hawaii

west-wind.com/
West Wind Message Board
Rick's Web Log
Markdown Monster
---
Making waves on the Web

Where do you want to surf today?
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform