1

In my application , I am using multiple username and passwords to get connected with DB and other servies internally. These user names are actually Active directory accounts. But I dont want to include username and passwords in web.config.

Can I setup active directory in IIS and ao that I can pass userid to it. In turn the IIS should talk to Active directory and gives the result if that ID has access to connect to database / other services?

I have been searching for this but all I am getting about encrypting passwords in web.config. Please suggest me if this can be viable.

Alienalone
  • 133
  • 1
  • 1
  • 6
  • Possible duplicate of [Getting IIS to impersonate the windows user to SQL server in an intranet environment](https://stackoverflow.com/questions/21891605/getting-iis-to-impersonate-the-windows-user-to-sql-server-in-an-intranet-environ) – Alexander Dec 21 '17 at 17:14
  • Thanks for the response. I am looking for example, I have connection string with ID and password. But I do not want user id to inculde in the connection string. If we can configure AD with the IIS, IIS should be able to authenticate if the userid is really an AD user. Please let me know if I explain this very vague. – Alienalone Dec 21 '17 at 20:47

1 Answers1

0

There are a number of ways to do this, but in the end you will need to store it somewhere if you are planning on not using the integrated security.

Build/Deploy Server

Deploy servers usually have mechanisms for modifying the config files when the application is being deployed to an environment server.

For one example, I've used Octopus before and it would keep track of the connection strings for each environment and swap put in the correct connection string and credentials.

The issue you may see with that is it will still have the credentials in the config on the machine.

Dynamic Connection String

Another way is to encrypt the connection string or just the necessary pieces and build it in code. I've seen credentials stored in the config as encrypted values and I've also seen them stored in the registry. One company even had a central configuration server that managed everything. The credentials weren't stored at all on the server and instead grabbed an OAUTH token and made a call to get it's configuration values.

The option is yours, but the key point is that you won't be relying upon the <connectionStrings /> section anymore.

Encrypt the Config

Little known solution that I've used before is actually just encrypting the config itself. This has worked well in the past, but I will give a small caveat in that I personally have not done it against a web.config. I've only used it for Windows services getting deployed on customer machines/servers.

https://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

Your best option might be to configure IIS to just encrypt the config file if you are worried about people viewing it.

My personal opinion though is this: If you have access to a particular environment server, you probably have access to same data that was attempted to be encrypted/obfuscated. If you're worried about people seeing the config who should not have had access, you have other bigger issues.

TyCobb
  • 8,909
  • 1
  • 33
  • 53