We're talking about two different things. Windows authentication from the web server process to the database, not from the end user to the web server through to the database.
-----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Philip Nelson Sent: Thursday, December 09, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string Having struggled with SSPI options in the past, I would warn about a couple of things. First, using SSPI may mean that you successfully enable Kerberos throughout your company. This will be true in any web server scenario, and is probably true in any remoted scenario as well. Windows makes it easy to get this process started, but in our experience, it was next to impossible to implement reliably. Users who were working would stop working. In some cases the only solution was to rebuild profiles which means there was some registry setting problem somewhere, but we could not find it. In other cases, things like extending across subnets or a completely reliable win32time function was required. After about a month of effort, we bailed. Second, while I liked the idea of users being given roles based on windows security groups, in a larger organization, the meanings of these roles may not be as clearly understood by system administrators as they would be within a specific application. And of course, now the user has actual access to the database, instead of access granted to an application that has access to a database. This opens up more "interesting" security and data integrity challenges than you may really want to tackle. --- Bob Provencher <[EMAIL PROTECTED]> wrote: > One idea is to use windows authentication. Specify Integrated > Security=SSPI. The account accessing the database will be the one the > process is running under... You don't have to encode the username and > password into the connect string. > > -----Original Message----- > From: Unmoderated discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu > Sent: Thursday, December 09, 2004 10:54 AM > To: [EMAIL PROTECTED] > Subject: [ADVANCED-DOTNET] How and where to store securely a database > connection string > > I would like to hear about different options to securely store a > database connection string. ===== Philip - http://blogs.xcskiwinn.org/panmanphil "There's a difference between righteous anger and just being crabby" - Barbara =================================== This list is hosted by DevelopMentor. http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorŪ http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com
