I'm hosting RavenDb on server. Database is available using url,for example aaaa.com:90 and everyone has access to it and can add,remove documents from server level. It is possibility to make access to ravendb server depending on windows authentication?
If ravendb on IIS7 then you need to :
create new user on server set permission on ravendb/web/data read write and
open iis manager select features/authentication and set windows authentication to enable,
and Anonymous authentication to disable,
do not forget use credential on your application,
Go to RavenDB web site for more information
Related
Is there an advantage in using a trusted connection vs a sql login for web application? Is there any pros/cons from one to another?
I usually use Windows Authentication, which is more secure, with a service account. If you are doing an internal application within your own domain and you want to authenticate your users to the database server, you will need to set up delegation on that service account along with the IIS and SQL services. If it is outward facing or you aren't concerned with authenticating users to the database, you simply need to give the relevant permissions to the service account login in SQL. In either case, assuming your webserver is IIS, you would change the web application to run under the service account. This will encrypt and store the credentials on the webserver.
The main reason windows authentication is more secure is it makes use of the Active Directory infrastructure to authenticate users using encrypted messages between the servers. With SQL Authentication the credentials are passed across the network. If you do use SQL Authentication, you should make sure to encrypt the connection string portion of your web config, as you would embed the credentials including the password.
Is it possible, using a classic ASP application hosted in IIS 7.5, to use Windows Authentication on the page (so I can access LOGON_USER) but use the app pool identity to connect to the database? If I turn on Anonymous Authentication and set it to run as the app pool identity, I can connect to the database, but I can't get the LOGON_USER. If I disable Anonymous Authentication, I can get the LOGON_USER, but I can't connect to the database.
Coworker found this: Apparently setting Physical Path Credentials under Advanced Settings on the app will also translate to the network communications with the database. So, anonymous auth off, windows auth on, physical credentials set to service account.
Not really sure why that works, since I would have expected Physical Path Credentials to affect only interactions with disk..
HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config
I have recently been working on a ASP.NET project for a client. The project was to migrate the database from the old Oracle database to a new SQL Server 2008 database. The migration went well and most of the procedures did not take to long to fix. However we are now having a problem, up until now we have been using SQL Server authentication and using a username and password to access the database from the .NET code. Below shows the connection string:
<add key="DatabaseConnectionString" value="Data Source=DATASOURCE;Initial Catalog=DATABASE;User Id=USERID;Password=PASSWORD;"/>
This was working fine however recently i have recieved an email from the client saying:
"Instead of using a local SQL account for the .NET app to access the database could you please use an Active Directory account. In the web.config it will say <domain name>/<username> rather than just <username>."
What i am confused about is:
Do i have to change the Authentication mode within SQL Server to Windows Authentication?
Does the client mean to change it from <username> to <domain>/<username> or the other way round?
Where abouts in the web.config do i need to make this change to the username? Is it in the connectionstring?
Any help on this would be great.
Also im not sure if you would need to know this but i have added it anyway...
This is the Authentication section of the web.config:
<identity impersonate="true"/>
<authentication mode="Windows"/>
Do i have to change the Authentication mode within SQL Server to Windows Authentication?
No, because Windows Authentication is always enabled. However, disabling Sql Server Authentication is a good practice.
Does the client mean to change it from "username" to "domain/username"
No. This is not only about adding the domain name. You need to authenticate the user against the active directory and use delegation for the sql connection. To use the windows account, you need to decide whether you want a specific account to access the Sql Server, or the web site logged in user account.
I think the first way is almost always better. For that you need to delete the user id and password from the connection string and replace it with "Integrated Security=SSPI", and set the application pool identity to the active directory user account. In Sql Server you need to give this account the right to do what you need.
For the second way, you need windows authentication for users in your web site, and use delegation for the connection. I don't know if impersonation is enough for that.
I have my sql server 2008 setup with mixed mode authentication. I went into sql server and added a new login and referenced an active directory user.
But it seems like all the windows authentication based stuff only ever works with whatever was used to login to the operating system. So I'm outside their domain on my machine and I can't connect. But even if I remote desktop into the server itself, using a seperate remote desktop login, even on that machine, I can't login using the active directory user since in the login box, if I choose window auth, I can't specifiy a different name, and sql server auth says invalid login. I don't see how to supply a windows username and password JUST when logging into sql server.
And also, what about my .net apps? I don't want to hardcode a sql server auth username/password into my encrypted connection string, i want to hard code a windows active directory username/password into the connection string.
And then reporting services, aarrghhh.. Does reporting servies ONLY work with windows logins? If so, then I'm stuck with getting the above working. If not, how do I configure a sql server login to also let me access all our reports?
This is a really broad question; I'll give a survey of some of the different topics you address. I work in a hosting provider and we have many domains with no trusts between them, so I deal with this on a daily basis.
Yes, SQL Server Windows authentication really wants to use the credentials running the client application. You can work around this with the RunAs /netonly switch:
runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft
SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”
Authentication for .NET apps is a big topic. Lots of options and chapters, if not books have been written on this.
Regarding Reporting Services: most of this access is through a browser. So this will use whatever credentials you supply to your browser. In IE this is controlled through the security zones and settings of whether your current credentials should be used or if you should be prompted.
Some clues:
If you're external user and SQL Server is in mixed mode it will be easier for you to have SQL login not mapped to AD user (so you use SQL auth and not Windows auth). You may have two SQL Logins - one for Windows auth, second for SQL auth.
If you don't your .NET apps have hard coded passwords use Windows auth and Trusted Connection mode in your ConnectionString. If your .NET app is a service create dedicated AD user then create SQL Login mapped to this AD user. Give your SQL User mapped to SQL Login permissions whatever it needs. Run service in context of dedicated AD user. If app is directly executed by users (.EXE file) also use Trusted Connection. Create AD security group for your app users. Create SQL "group" Login mapped to this AD group. Give your SQL "group" User mapped to SQL Login permissions whatever it needs.
It's not possible to provide login and password for SQL Login with Windows auth in ConnectionString. You use TrustedConnection for Windows auth and login/password for SQL auth.
You may play with switching context inside SQL session - EXECUTE AS, see: http://msdn.microsoft.com/en-us/library/ms181362.aspx