Is it possible to change the SQL Server distributed cache connectionString at runtime? I'll exemplify my scenario:
I'm using sessions to store user state.
Sessions are saved in SQL Server Distributed Cache.
Each user has a designated database.
After login I need to store each user's session in their specific database, for this reason I must change the connectionString as different users log into the application.
Method I need to change the connectionString method
It's possible ?
Related
I have the project to create a C# application for multiple users. Users' credentials will have to be stocked in a SQL Server database table.This database will be used to stock further informations in other tables.
At an application user account creation, his level of permissions on the database will be set.
Knowing that the server/database login/users are already stocked in a system table in the database, can I use this table as my application credentials table too ?
In this case, could it allow to have a unique log for the application and the SQL server.
Thank you.
The short answer is yes but why would you want to allow users to access the SQL Server, that's the job of the C# application. The basic C# application template should be able to take care of the permission levels. These are generally stored in the aspnet database on your SQL server.
The safest approach is to have a single SQL user for each level of access, which can then be determined by the application, once the user has logged in.
You can easily log the who, what, when and why, by creating a simple logging method in C#, which records every SQL transaction.
(I would have put this in the comments but apparently my reputation isn't good enough ;-)
You might be able to do something like this, but I would advise against it. If it were me, I would do something like this (if I understand your scenario correctly, and just generally speaking....this is of course only one way)
Figure out the set of database access levels you want users to have
Create a sql user per scenario in sql server and add to the appropriate role to get the access required
Create an application role table with an ID column and the credentials for the sql users you created in step 2.
Create an application user table which stores user credentials and other information, including a role id which is a foreign key to the table created in 3.
In your application, when generating your sql connection/s, you can then use the application role details for the logged in user to create your sql connection string dynamically
I'd have to implement my own security for the application (windows form).
The application is for internal use (10 users) but security is very important due to sensitive data. (SQL Server 2008 is in the back end, .NET 4.0)
I don't have a login form but I have a connection string in app.config. So I guess that maybe app.config is a good place to implement AD groups? Or borrow asp.net membership provider?
Thanks for advice.
If you're trying to maintain database permissions, set them on the database and have your application use Integrated Security=True in the connection string. The user will connect as themselves to the database and have whatever permissions the database specifies.
Why not just use active directory group membership to control security? Your connection string to the SQL Server database can go in the config file, but you should probably 'encrypt' that before releasing it to clients.
If you're determined to check the user's AD groups and prevent the application from continuing to run on startup, take a look here.
We currently have a winforms app that allows users to log in in order to access the system. The authentication system is a custom made kludge. I'm working on a implementing a change that links users NT username and domainname to their existing custom account so that they don't need to repeatedly log in. I'm using WindowsIdentity.GetCurrent().Name then storing that information in a database table that maps to their old accountid. What I'm wondering is if it would be possible for a user to vpn into the network with a computer name that mirrors the real domain name? This could potentially give a rogue user access to someone elses account. I guess the real question is: is there a way to differentiate between the sql servers domain and a users domain without just doing a string compare on the names.
Yes it would if your app was using SQL Authentication to access the database. If you change the Database connection to use trusted authentication then the SQL Server will authenticate the login against the domain controller. So despite the user having access to the application they wouldn't be able to access the database driving the applicaiton. If you did this you could also move the capturing of the user name to a SQL Server stored procedure which would ensure that the name captured matched that of the Domain rather than the local users.
THE SERVER MUST NOT TRUST THE CLIENT.
If the client can get and use credentials to log in to the database server you're toast.
If your server is only a database server and your application does not use trusted connections and your application does not prompt for db credentials you're toast. (See previous statement.)
I'm lazy. I'll patch WindowsIdentity.GetCurrent().Name to return "Administrator" if I feel like it.
I have written some C# which connects to a live production database. I want to give my application read only access to the DB but am unsure how to achieve this.
Is there any trivial way to get this done by amending the connection string?
My understanding is that the application will logon with the credentials of the person running the application and hence may or may not have write access to the db based on that fact. Can I statically limit the permissions of the application so that if someone changes the program to do something devastating at a later date any manipulation will fail?
Apologies for how trivial the question may be but it's my first venture into the world of MS programming.
Thanks,
Gav
You can't change the permissions for the account by changing the connection string. There is a user account in the database that determines the permissions.
Unless you want different people to have different permissions, you should set up an account for the application and use in the connection string.
For any account in the database you can specify which databases it can access, and what it can do with the databases. The permissions can be specified down to the level of objects and operations, so you can for example specify that it can only do selects on certain tables.
Have it login to the database server as a user that only has read-only permissions. That and just don't try to write anything to the database.
You can always grant the user connection to your database just the "db_datareader" role on that database.
db_datareader gives your user SELECT permission on all tables - but nothing more.
There are basically two main types of SQL Server authentication:
Integrated Windows authentication and
Mixed authentication mode (SQL Server authentication)
It sounds like you are using the former. If you use the latter you can create a specific user account within SQL Server, give it a username and password, and then grant access to the tables you wish it to be able to read. You can control at the account level what access it has to any object in the database.
See http://msdn.microsoft.com/en-us/library/ms144284.aspx for more details.
Just a thought; usually not every logged in user gets to access the database, let alone a read-right. Therefore you in your case you can create a database user for your application with read rights; and use that in your connection string.
I am connecting to a SQL Server database via LINQ in my ASP.NET application (returning results to a web service). The problem is that it only returns results when I'm running it in debug/test mode - When I publish the service I get an error telling me
"Login failed for user 'NT AUTHORITY\NETWORK SERVICE' "
So how do I set / provide the credentials I want the site to use to log into SQL Server?
Thanks in advance for any help
You have to set the credentials in the connection string.
It's possible that the connection string to use on the server will be different than the credentials to use during Development. Ask your DBA which credentials you should use.
You are likely not passing a connection string into your DataContext constructor, causing your program to use the connection string in the constructor, which you have been using for development.
So instead of using something like this:
using (var dc = new MyDataContext()) {
...
}
use
using (var dc = new MyDataContext(MyConnectionString)){
...
}
... and take MyConnectionString from your config file...
A few questions first
Is the SQL server on the same machine?
If it's on a different machine is it in a domain?
Are you using a full SQL installation, or SQL Express?
I'm going to assume you're using a full version of SQL, because if you're using SQL Express user instances will not give you this problem.
If it's on the same machine then you need to add Network Service to the list of allowed users in SQL. To do this start SQL Management studio, expand the security folder, then right click on Logins and choose New Login. Click search on the "Login - New" dialog, making sure Windows Authentication is selected then enter Network Service in the object name box and click Ok. Choose the database you want it to access from the drop down list in the Login - new page and click ok. Finally expand out the databases folder and for each database you wish to grant access to expand out security, right click on users, then select the network service login name, give it a name in the dialog of Network Service and grant it the right access by checking the role in the Database role membership list. If you're messing around db_owner will be fine, you will want to lock this down later.
If the SQL server is on a different box and you are in a domain you can run the application pool as a domain user and grant that access on the SQL box. How to do this varies on the version of IIS.
Finally you can use SQL logins and passwords if the SQL server is configured to do this. Create a SQL user and then add them to the connection string like so
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
In your question, it is unclear if you are using a different database between development and production. Typically, you would have (at least) two copies of the database and would set the connection string to point to the correct environment when you deploy typically by changing the value in the web config. Alternatively, you could set the connection string at runtime using the technique Dave mentions.
In your case, I suspect that you are using integrated authentication and getting cought off-guard by SQL security permissions. When you are testing this in your local environment by debugging it in Visual Studio, it runs under your security credential. Most likely, your user account is an administrator (db owner) in the database and thus you have full permission against the database.
When you deploy this, IIS is running under the NetworkService credential. When you try to access the database, the request fails because NetworkService has not been given rights in the database on each of the tables/views/sprocs/etc.
If you have mixed mode set on your server, you can set the permissions on each database object to a SQL user and set the SQL user and password in your web.config. Alternatively, you can change the user account that the IIS process works under and configure the database to work with that user.