Accessing SQL Server from a Web Application

  • Article

When a Web application involves database access, it must provide credentials to SQL Server (that is, it must log in to SQL Server) just as any other user or process would. In a Web application, this can introduce complications. For example, if the Web application runs anonymously, there might not be credentials to pass to SQL Server.

There are a number of ways to design SQL Server access for your Web application. The strategy you choose depends on how your computers are configured and whether you are on an intranet. The simplest options are:

  • Use Windows integrated security. This option passes the user's credentials to SQL Server. Because of delegation issues, this frequently only works by default if SQL Server is on the same computer as IIS.

  • Map the identity of your ASP.NET application to a Windows domain user and then log into the database as that user. This works well for anonymous access if SQL Server and the Web server are on separate computers.

  • Access the SQL Server as the local identity of your ASP.NET application (for example, the local ASPNET account on a Windows 2000 server or the local NETWORK SERVICE account on a Windows Server 2003). This option works well for anonymous access.

  • Pass an explicit user name and password in a connection string. This option can be less secure than other options so you should always use protected configuration to secure the connection strings. You can pass a predetermined user name and password.

In This Section

Term

Definition

How to: Access SQL Server Using Windows Integrated Security

Provides an example of how to use Windows integrated security for database access.

How to: Access SQL Server Using a Mapped Windows Domain User

Provides an example of how to use a mapped Windows domain user for database access.

How to: Access SQL Server as a Local User

Provides an example of how to use a local user account for database access.

How to: Access SQL Server Using Predetermined Credentials

Provides an example of how to use predetermined login information for database access.

See Also

Concepts

Secure Data Access (ADO.NET)

Overview of Web Application Security Threats

Basic Security Practices for Web Applications

Other Resources

Securing ASP.NET Web Sites