|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Accessing SQL Server from a Web Application
When a Web application involves database access, it must provide credentials to SQL Server (that is, it must log in to SQL Server) just as any other user or process would. In a Web application, this can introduce complications. For example, if the Web application runs anonymously, there might not be credentials to pass to SQL Server.
There are a number of ways to design SQL Server access for your Web application. The strategy you choose depends on how your computers are configured and whether you are on an intranet. The simplest options are:
Use Windows integrated security. This option passes the user's credentials to SQL Server. Because of delegation issues, this frequently only works by default if SQL Server is on the same computer as IIS.
Map the identity of your ASP.NET application to a Windows domain user and then log into the database as that user. This works well for anonymous access if SQL Server and the Web server are on separate computers.
Access the SQL Server as the local identity of your ASP.NET application (for example, the local ASPNET account on a Windows 2000 server or the local NETWORK SERVICE account on a Windows Server 2003). This option works well for anonymous access.
Pass an explicit user name and password in a connection string. This option can be less secure than other options so you should always use protected configuration to secure the connection strings. You can pass a predetermined user name and password.
Provides an example of how to use Windows integrated security for database access.
Provides an example of how to use a mapped Windows domain user for database access.
Provides an example of how to use a local user account for database access.
Provides an example of how to use predetermined login information for database access.