0

I try to figure how connection string, AD & SQL Server works together and I need a little help.

We have a very basic Web app:

  • 1 C# app running on .NET 6 (with kestrel)
  • 1 SQL Server database

Normally we connect to the database with a connection string like this:

Server=MySQLServer;Initial Catalog=Mybase;User ID=LocalSQLUser1;Password=tutututu;Application Name=MyWebApp;

In this case, my SQL Server's user is a local account on my SQL Server. It work, ok, next.

Another internal team ask us to centralize account in Active Directory. So, I take the MS doc to find how to construct the connection string:

Note

Windows authentication takes precedence over SQL Server logins. If you specify both Integrated Security=true as well as a user name and password, the user name and password will be ignored and Windows authentication will be used.

I construct the new connection string but without login/password :

Server=MySQLServer;Initial Catalog=Mybase;Application Name=MyWebApp;Integrated Security=true;

Questions:

  1. How can I provide AD Account login & password programmatically with C# if possible?
  2. If it's possible, is this solution compatible with Linux?
Bill Tür stands with Ukraine
  • 3,425
  • 30
  • 38
  • 48
Michael Oullion
  • 73
  • 5
  • Which AD Account do you want? The one that IIS uses, or the one the user uses to login to the web app? – Charlieface Mar 20 '23 at 15:56
  • @Charlieface. I don't want to use the user's login but I don't want to use the one associate to the process because I don't know how to do this in a linux container. maybe the right question is "how to associate AD Account to my process in a Linux container?" – Michael Oullion Mar 20 '23 at 16:17
  • 1
    You need to install Kerberos and do `kinit` to get a Kerberos ticket. Then you can use `services.AddAuthentication` see also https://stackoverflow.com/a/58218943/14868997 – Charlieface Mar 20 '23 at 16:25
  • That's a huge change in the app.. (we cannot manage to different login for two different db) and it's need a lot of work on Container (and it's make it very specific... can't push it in another environment without refact the image). Thanks for the (really) fast answer – Michael Oullion Mar 20 '23 at 16:43
  • 1
    It's a standard setup for a domain-joined Linux installation. Speak to your IT team for instructions. – Charlieface Mar 20 '23 at 16:47
  • I don't know about C#, but at least in java jdbc, there's a possibility to explicitly enter a domain username/password when doing connections from linux without the kerberos stuff. Perhaps there's an option in c# as well – siggemannen Mar 20 '23 at 16:51
  • @siggemannen "Without doing the Kerberos stuff" no it just does it for you. Or maybe that's what you meant? – Charlieface Mar 20 '23 at 17:09
  • Well I mean you don't need any kinits or whatever. It's just a different connection string – siggemannen Mar 20 '23 at 19:12
  • Here's how it looks there: https://github.com/kuseman/queryeer/blob/master/queryeer-catalog/src/main/java/se/kuseman/payloadbuilder/catalog/jdbc/SqlServerProperties.java#L152 – siggemannen Mar 20 '23 at 20:02

0 Answers0