Accessing SQL Server Using a Mapped Windows Domain User

Visual Basic and Visual C# Concepts

By default, ASP.NET applications run in the context of the local user called ASPNET in Windows 2000 and Windows XP or NETWORK SERVICE in Windows Server 2003. These user accounts have limited permissions. However, the ASPNET or NETWORK SERVICE user is local to the Web server computer and is therefore not recognized as a user on remote computers. To get around this limitation, you can have your application run in the context of a Windows domain user that is recognized on both the Web server computer and on the SQL Server computer.

Mapping your application process to a Windows domain user requires that you configure the following processes:

• The Web server computer    You must be sure that the Windows domain user you specify has sufficient privileges (but no more) to run a Web application.
• Your application   You need to configure the Web.config file to specify that ASP.NET use integrated security, which allows ASP.NET to recognized the mapped user name.

  Note   For information on the machine.config and Web.config files, see ASP.NET Configuration.

• Connection string   When you create connection strings for connection objects in your application, you need to specify that they will use integrated security.
• SQL Server   You need to add the specified domain user as a SQL Server login user.

Configuring Users on the Web Server Computer

To set user permissions for the Windows domain user

• Using Windows administrative tools on the Web server computer, make sure that the mapped Windows domain user has necessary privileges. For details, see ASP.NET Required Access Control Lists (ACLs).

Mapping to the Windows User and Enabling Impersonation

After establishing the correct permissions for the ASPNET or NETWORK SERVICE user account and for the user to map to, you configure the application to impersonate that user.

To configure your Web application for integrated security

• Open the Web.config file for your application and add the following elements:
  <authentication mode="Windows" />
  <identity impersonate="true" userName="domain\username" password="password"/>

  The <authentication> element might already be there.

  Note   Elements in Web.config are case sensitive.

Using Windows Security in the Connection String

Finally, when you create connection strings for database access, configure them to use Windows integrated security.

To use Windows security in the connection string

• When you create a connection string for your application, do not include a user name and password. Instead, set the connection string's Integrated Security attribute to SSPI.

  The following example shows a connection string that includes the appropriate attributes:

  data source=myserver;initial catalog=northwind;Integrated Security=SSPI

To configure SQL Server for integrated security

1. From the Windows Start menu, choose Microsoft SQL Server, and then choose Enterprise Manager.
2. Open the node for the server and expand the node for the database you want to give users permissions for.
3. Right-click the Users node and choose New Database User.
4. In the Database User Properties dialog box, enter domain\username in the Login name box, and then click OK.

See Also

Accessing SQL Server from a Web Application | Access Permissions for Web Applications | Database Security | ASP.NET Authentication | Security Portal | INFO: Implementing Impersonation in an ASP.NET Application (Q306158) (KnowledgeBase article)