5

I was wondering when using Windows Authentication mode in a connection string from a web application. Application itself is using Windows Authentication for authorization. Which account will be used to login to SQL Server.

Is't the web application pool account? User account who logged in to web application using windows auth? Any other account?

Application is running under Win Ser 2008 64 bit and IIS 7. Application pool account is Network Service.

user724779
  • 51
  • 1
  • 3
  • "Integrated" mode?! All I knew of was Windows, SQL Server logins, and Mixed mode (supports both Windows auth and SQL Server logins). – OMG Ponies Apr 26 '11 at 05:15
  • 3
    It will be the account that is running the ASP.NET code - e.g. the application pools' account (something like `ASPNET` or the `IUSR_(machinename)` ) – marc_s Apr 26 '11 at 05:29
  • @OMG Ponies: If you ever used SqlConnection.ConnectionString you would know that "Integrated Security" is one of the keywords that allow you to specify the mode of connection. In your comment you refer to Sql Server authentication mode. OP refers to connection mode, these are different things. And yes, "Integrated Security = true" means Windows Authentication mode. – Andrew Savinykh Apr 26 '11 at 06:05
  • @zesperi: The title and tag only says "SQL Server" ;) – OMG Ponies Apr 26 '11 at 06:07
  • @user724779: what web server / version are your web application running under? – Andrew Savinykh Apr 26 '11 at 06:08
  • @OMG Ponies: Its interesting to see that you emphasize on tag while the whole description is made available for your reference :P – user724779 Apr 26 '11 at 16:06
  • @zesperi: Tagging (besides title) is what highlights questions for attention - your account is old enough, figured you'd comprehend that much. – OMG Ponies Apr 26 '11 at 23:06

3 Answers3

6

It depends on how you configure it. From http://msdn.microsoft.com/en-us/library/ms998292.aspx and http://msdn.microsoft.com/en-us/library/bsz5788z.aspx ...

ASP.NET applications do not impersonate by default. As a result, when they use Windows authentication to connect to SQL Server, they use the Web application's process identity. With this approach, your front-end Web application authenticates and authorizes its users and then uses a trusted identity to access the database. The database trusts the application's identity and trusts the application to properly authenticate and authorize callers. This approach is referred to as the trusted subsystem model.

The alternative model referred to as the impersonation/delegation model uses the original caller's Windows identity to access the database. This approach requires that your ASP.NET application is configured to use impersonation. See the section "Impersonation / Delegation vs. Trusted Subsystem" in this document.

So depending on how you have configured it, it could use either the app pool account (not when not using impersonation) or the account of the logged-in user that is using the web application (when using impersonation).

See http://msdn.microsoft.com/en-us/library/134ec8tc.aspx for impersonation information.

Community
  • 1
  • 1
Shawn
  • 8,374
  • 5
  • 37
  • 60
0

The problem that i was having was that my application pool account in SQL Server needed to be set to the db_owner role before it worked. I spent a long time trying to figure this out.

I was using Windows Authentication, Windows 7 home premium, and IIS all on the same computer. I'm posting this in case someone else run into a similar problem. The book i used did not say to use db_owner but the reader and writer accounts instead.

Jacob Pressures
  • 1,391
  • 2
  • 12
  • 15
0

It's the application pool user who connects to the database, if you specified Integrated Security in your connection string.

alexl
  • 6,841
  • 3
  • 24
  • 29