I have a website that is used for uploading data to a restricted database. Usually when I built out connection strings for SQL Server inserts, it was from an in house user so I could use windows authentication, what's the best practice for when the user does not have access to the database?
The best practice is to authorize your IIS APPpool where your website is running on... You can simply do this by creating a user in sqlserver.... FOr example IISApppool\Yourapppoolname. You can find the name of the pool where your site is running in the IIS manager.
Yes exactly, read this article msdn it's very interessant
Link : http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.71).aspx
Link : http://www.connectionstrings.com/
You have to use a SQL user specific to the website.
Related
So I wrote quite a few ASP.NET web applications and there I often used the forms authentication. Now I need to do the same but in a client application. What would be the best way to create something like this?
I was searching for it for some time now but I didn't find something that I could implement in my project. I just need to have a login screen and only when it is valid with the user logins I created I should be able to use the complete application.
Can someone please help me?
There are probably several approaches that you could take. If the application is internally distributed you could use a database connection to something like SQL Server where you would have accounts set up to validate against. If the distribution is external you may want to consider setting up a server and using socket connections in your application to make calls to your server(again storing account information in a back end database) to validate users.
I remember using ASP.NET Identity for that purpose. Was very easy and everything is pretty much ready.
ASP.NET Core Identity is a membership system that adds login
functionality to ASP.NET Core apps. Users can create an account with
the login information stored in Identity or they can use an external
login provider
learn.microsoft.com/en-us/aspnet/core/security/authentication/identity
I developing ASP.Net MVC website which uses an ADO.Net Entity Data Model to connect to a MS SQL Server.
To access data it uses WebApis in views called from jquery which use the above datamodel to get data, and it also uses code in the view controller which also uses the same datamodel.
When I run this locally (on the development machine), everything works fine. However, when I deploy it to IIS v10.0 and try to access the website from another machine, it partially works. Calls to the database made using the WebApis fail with a:
HTTP500: SERVER ERROR - The server encountered an unexpected condition that prevented it from fulfilling the request.
Whilst pages that call data access code from the view controller work correctly.
When I look at the error for the WebAPI I see that the following error is produced:
"ExceptionMessage":"Login failed for user 'xxx\yyy-zzz-15$'
I don't know why this login is being used - I would expecting it to be using the 'NT AUTHORITY\IUSR' login, like the data access code from the view controller does.
Any thoughts?
you have two options
in database add that user to NT AUTHORITY\SYSTEM and give it the
permissions to your database.
make new user login in database and give it the
permissions to your database and change the web.config to not be integrated
security and add the user ID and password.
Your problem as it stands is because you are running as a default account - you've then asked that account to access other machines and data. To fix that you need to have it work as an actual account.
To have your webcode run as a user the simplest way is get a functional account from your AD team, and then set the pool for your site to be that AD account, and allow that AD account also the appropriate (eg not sa) to SQL.. As per comment to Mohamed's options above.
Please check the application pool on which your website is running. If the app pool is running on a service account, you need to add same account to your database server and assign proper permissions.
In your connection string, if you don't set the user, it will use the IUSR user.
And the IUSR User will not have enough permission to connect to the database.
I don't recommend to give rights to the IUSR user because this can cause security issues!
Instead, you should define your user id and password in your connection string.
If there is not user that you can use in your server, you can create a new user and give necessary permissions to this user.
here is a simple connection string :
data source=yourServerID;initial catalog=YourDatabaseName;user ID=yourNewUser;password=PasswordOfYourNewUser;
To configure a new user :
https://support.chartio.com/knowledgebase/granting-table-level-permissions-in-sql-server
I am writing a small addon mobile app to an existing applications database, the application stores login details through SQL Server logins:
I want to be able to use these existing logins (and permissions if possible) in my mobile web app but I can't find if there is an easy way to do this.
I was hoping there would be an existing provider that would allow me to do this via the web.config.
Is there any way to do this without having to code all the login/authentication manually?
eg:
<providers>
<add name="SQLProfileProvider" type="System.Web... />
</providers>
Alternatively does anyone know of any resources that could help me do it manually?
Please don't judge to harshly if I'm being an idiot, this is my first foray into asp.net!
Update:
Maybe it wasn't clear what I am trying to do so I will try and expand.
I have an existing desktop application (not under my control).
It uses SQL Server 2008 to store it's data and it authenticates users using SQL Server Logins.
I am writing a web app to connect to this database.
I want to allow users to log in to the web app with their existing login details from the desktop application.
eg. I have a database with the user 'abc123':
I want to be able to use this login within asp:
I know this is possible using my own membership provider within MVC but if this has already been written I would love to be able to use an existing membership provider.
Does anyone know if this membership provider exists?
The question is interesting in fact. I've never heard of an out-of-the-box membership provider that directly uses sql logins. So, my answer is 'no that doesn't exist'.
I can't imagine it would be terribly difficult to write however. Just implement the MembershipProvider (http://msdn.microsoft.com/en-us/library/System.Web.Security.MembershipProvider(v=vs.110).aspx) and run sql scripts for all of the 'CreateUser' stuff. It should work in a very straight forward manner.
I would just note that this is a very non-traditional use of the db logins. But I see how you would instantly get the benefits of any permissions applied to the users/roles setup in the database. This is not very scalable, but you would have very granular permissions in place.
Maybe a more scalable solution would be to have a users table mapped to generic logins that represent certain types (e.g. ReadOnlyLogin, WriteableLogin, etc.) That way you may have 100 users, with usernames and passwords in a table, and then have them assigned to a particular dblogin (mentioned above). When a user logs in, you would then use the given login whenever they accessed the db, enforcing any permissions set on the login. So, Bob, Frank, and Harry would use ReadOnlyLogin, and Sally, Jane and Samantha would use WriteableLogin. Just a thought.
I'd have to implement my own security for the application (windows form).
The application is for internal use (10 users) but security is very important due to sensitive data. (SQL Server 2008 is in the back end, .NET 4.0)
I don't have a login form but I have a connection string in app.config. So I guess that maybe app.config is a good place to implement AD groups? Or borrow asp.net membership provider?
Thanks for advice.
If you're trying to maintain database permissions, set them on the database and have your application use Integrated Security=True in the connection string. The user will connect as themselves to the database and have whatever permissions the database specifies.
Why not just use active directory group membership to control security? Your connection string to the SQL Server database can go in the config file, but you should probably 'encrypt' that before releasing it to clients.
If you're determined to check the user's AD groups and prevent the application from continuing to run on startup, take a look here.
I have a small web application in asp.net and I'm using SQL Server. How do I authenticate my web application to block some people from changing the database?
This statement has to change from this:
Data Source=AYKUT-PC;Initial Catalog=BUS;Integrated Security=True
To something like this:
Data Source=AYKUT-PC;Initial Catalog=BUS;Integrated Security=False
Integrated Security is a feature that allows SQL Server to authenticate a user based on their Windows login.
You could also use SQL Server authentication, which would require a specific user name / password to login.
Finally - you could use Mixed mode that would allow both SQL Server and Windows authentication.
Here's an article about it: http://technet.microsoft.com/en-us/library/ms144284.aspx
If you would like a more detailed answer about how to implement it - you should probably give more information about your situation, and what your requirements are.
EDIT:
SQL Server can restrict permissions to users (or SQL Logins). So you could restrict acccess to certain tables through a combination of authentication methods and security permissions.