Windows or SQL authentication?

  • Hi Team,

    I have an asp.net web and windows applications and SQL Server 2008 dabatases.

    As per current archt, sql authentication was used to connect to these DB's from the app's.

    Now in the servers, our DB team has told to use the service accounts to connect to the DB's. Is it the best practice to use service account? or should use sql authentication?

    Also, if anonymous authentication is enabled, then will this service account be used to connect?. I dont want every user to have access to DB's.

  • Service accounts, as in the account that the SQL Server is running as? No way, that's bad practice.

    Windows authent is good, I prefer it over SQL authent when possible, but each user and each application should have their own account which they use to connect. Not a single account, not the account that SQL runs as.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • No, it's the app pool service account on which our asp.net application runs, not the sql server.

    This service account has access to the DB's and our asp.net authentication is set to anonymous.

    I think this is how it works: when a user browses an app, and the request comes to the server and if auth type is anonymous then the app pool's identity(set as service account in my case) is used for further processing.

  • IIRC, you should be able to specify an account for the IIS site (or app pool even), that proxie's all the users requests. In essence, from a Windows AD point of view, the user is anonymous. That account can be added into SQL as a Windows login.

    That's what I've done and would do. Keeps developers out of production SQL boxes as they shouldn't have the proxy account's credentials.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply