June 7, 2008 at 4:08 pm
Hi,
I have an existing web application with ASP scripts running on IIS and a SQL server DB. The user who connects are part of the domain and connects to the Database using the Windows NT authentication (there is a system DSN created with Windows Authentication and on the sql server a login created for the domain-user group and necessary permissions were assigned for the login) This works without a problem.
Now I need to allow external users who are not part of our domain to acceess the same DB to read some data (not to write). I don't want to create domain accounts for them, so they cannot use the same way to connect to the DB. I think to create a login in the SQL server (with limited permissions) and the web page (external users) connects using this login and differentiate the users by maintainning a table with username/password.
Please let me know whether I am in the right direction, if not please give me some advice on how to do it. Also let me know where do I have to be careful in setting up this as I am dealing with some sesitive data.
Thanks in advance.
June 9, 2008 at 10:13 am
In the web sites I have developed in the past, I create a dedicated SQL Server user and assign only the necessary rights that the page (or site) will need. I place the necessary credentials in a singe file and use an include statement in my ASP pages so I only have to maintain that information in one location.
My latest project was done using vb.NET. Essentially, it uses the same connection file concept to store the credentials but does allow you to encrypt the information in the file so if someone stumbles across it, they won't be able to gain access to those credentials. I don't know if an older ASP site can use an encrypted connection information file or not.
I used both of these methods to create applications for external users who needed read access to the data we stored.
June 11, 2008 at 9:56 am
Thanks for your response. I think I am doing more or less similar way as you. I need to figure out whether I can encrypt the connection details in my page.
Thanks.
June 11, 2008 at 10:12 am
I don't think you can encrypt the connection string in an older ASP application. I just spent the last 20 minutes searching for information on doing this and all of the references I can find point to instructions on encrypting the connection string in the web.config file for a .NET application.
June 12, 2008 at 2:25 am
Thanks very much for your time, I really appreciate it. How about if I create a variable in an object (activeX and register it on the webserver) and get the connection string details from it? Do you think is it possible?
June 12, 2008 at 7:38 am
Sounds like an interesting project. I don't know for sure if it will work but it seems that if VBScript code exists that could read the variable, it should be just fine. Let us know if it works and how you got there. It would be valuable information to have here.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply