Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 What Authentication Mode is Best for Me?

Author  Topic 

someguy51
Starting Member

11 Posts

Posted - 2005-10-04 : 12:38:23
Hi,

Were working on a Smart Client application. Our customers will have .Net Windows forms on their computers that will access SQL Server data on our server.

I've read that Windows Authentication is the most secure authentication mode. However, since our customers computers are not on our network it would be impossible to use Windows Authentication. We'll have to use Mixed Authentication. I just wanted to confirm this in case my understanding of the authentication modes is wrong.

Thanks,
Chris

eyechart
Master Smack Fu Yak Hacker

3575 Posts

Posted - 2005-10-04 : 12:49:19
yes, you need to go with mixed mode then.



-ec
Go to Top of Page

jen
Master Smack Fu Yak Hacker

4110 Posts

Posted - 2005-10-04 : 23:09:21
FYI, you can actually use windows authentication if you're using a webserver :), the webserver is the one getting authenticated to the sql server then.

if you're going to use standard login, i recommend you use approle too ( for more info on approle, read BOL )


HTH


--------------------
keeping it simple...
Go to Top of Page

someguy51
Starting Member

11 Posts

Posted - 2005-10-05 : 16:06:26
Thanks for the replies.

I just had a brainwave today that I might actually be able to use windows authentication. Here's our scenario

Server1 - Webserver. Directly connected to the Internet
Server2 - SQL Server. The Webserver can see this server but its not directly connected to the Internet.

What happens is that our smart client windows forms calls a web service on the web server. The web service gets the data from the SQL Server computer and returns it to the windows forms.

Jen said that you can use windows authentication if you're using a webserver. Can anyone point me in the right direction to get that working? Currently, we are not planning to have a domain on the production servers...would we need one?

Thanks,
Chris
Go to Top of Page

jen
Master Smack Fu Yak Hacker

4110 Posts

Posted - 2005-10-05 : 21:53:08
I am not sure if this works without AD, haven't tried it
1. create the logon account if it doesn't exist yet
2. use that account to logon to the webserver
3. add the logon account in sqlserver
4. apply appropriate permissions + other restrictions like approle

HTH

--------------------
keeping it simple...
Go to Top of Page

someguy51
Starting Member

11 Posts

Posted - 2005-10-06 : 13:26:45
Thanks for your help again jen.

So if I were to use Windows Authentication the code that calls the web service would have to pass the windows credentials? If that's the case I think it would be better to stick with mixed mode. My reasoning is that if I'm going to have to store a username and password I would rather store it on one place (the web server) instead of having a username and password on the windows form which every customer would have. I could be wrong though...

Thanks,
Chris
Go to Top of Page

jen
Master Smack Fu Yak Hacker

4110 Posts

Posted - 2005-10-07 : 01:44:49
again, i'm not sure if this is what you mean

1. application accesses the webserver, the webserver talks to sql
2. application has a table in sql to check for application credentials
3. webserver logon account is used to connect to sql

so, connection to sql is authenticated but the permissions still depends on the user/password table that your app will try to validate

so this means that the only way to use your apps is via the webserver and no other machine



--------------------
keeping it simple...
Go to Top of Page

someguy51
Starting Member

11 Posts

Posted - 2005-10-07 : 10:27:19
sorry for the confusion jen. Up until recently I was 100% developper. A couple of weeks ago I was asked to take on the dba role because I have the right "apptitude" for it. I really don't have any experience being a dba and I don't have much of an understanding on how networks work...and no mentor to show me the ropes...

You've got it right on how it works except at the moment we are using a sql server account to connect to sql server. I'm just exploring the possibility of using Windows Auth only. The thing that I'm hung up on is the logon account on the web server. When the web service is called we don't log onto the web server. It just works. I know in the background some account must be logging onto the webserver but I don't know which account it would be.

Thanks,
Chris
Go to Top of Page

AjarnMark
SQL Slashing Gunting Master

3246 Posts

Posted - 2005-10-07 : 18:19:58
Chris, look into the settings in IIS. I haven't done a lot with configuring a Web Service, but a regular web site has the option to change the login user for anonymous access. The default user is IUSR_machinename. You can set this to any Windows account that you want. Then the web site would use that identity to try to connect via trusted connection to SQL Server.

The challenge if you are using a local windows account on the web server is that it can be tricky to get SQL Server to recognize it. You might want to google this. Or, use a domain account that both SQL Server and the Web Server recognize instead.

---------------------------
EmeraldCityDomains.com
Go to Top of Page

Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)

7020 Posts

Posted - 2005-10-07 : 20:19:27

If you use a local windows account on the web server you can get it to work by creating a local account on the SQL Server box, and giving both of them exactly the same password. Then you just grant SQL Server login and database access to the local account.

Very Important: Both accounts must have exactly the same username and password. If you change the password on one server, you have to change it to the same on the other server.





CODO ERGO SUM
Go to Top of Page
   

- Advertisement -