This documentation is archived and is not being maintained.

Accessing SQL Server from a Web Application

Visual Studio .NET 2003

When a Web application involves database access, it must provide credentials to SQL Server (that is, it must log in to SQL Server) just as any other user or process would. In a Web application, this can introduce complications. For example, if the Web application runs anonymously, there might not be credentials to pass to SQL Server.

There are a number of ways to design SQL Server access for your Web application. The strategy you choose depends on how your computers are configured and whether you are on an intranet. The simplest options are:

  • Use Windows integrated security. This option passes the user's credentials to SQL Server. Because of delegation issues, this is practical primarily if SQL Server is on the same computer as IIS and your users must be on the same domain as the Web server computer. For details, see Accessing SQL Server Using Windows Integrated Security.
  • Access the SQL Server as the local ASPNET or NETWORK SERVICE process (the default user identity for a Web application in your application). This option works well for anonymous access, but works only if SQL Server and the Web server are on the same computer. For details, see Accessing SQL Server as a Local User.
  • Map the Web application process to a Windows domain user and then log into the database as that user. This works well for anonymous access if SQL Server and the Web server are on separate computers. For details, see Accessing SQL Server Using a Mapped Windows Domain User.
  • Pass an explicit user name and password in a connection string. This option is practical if you can prompt the user for credentials, but can be less secure than other options. You can also choose it as an easier alternative to mapping to a Windows domain user. For details, see Accessing SQL Server with Explicit Credentials.

If you are familiar with other Windows features that help maintain the protection of users' information such as Kerberos, Active Directories, Passport, and so on, you can also take advantage of those to create database access. For more information, see Kerberos Authentication and Trust and Active Directory Security.

See Also

Access Permissions for Web Applications | Database Security | Security Portal | Overview of Web Application Security Threats | Basic Security Practices for Web Applications

Show: