Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm facing a problem developing the app for the client that uses a SQL Server with Windows authentication only, so the situation is that there is a number of Windows accounts in Active Directory that can access the database and some application are using those accounts.
My problem is I have to develop a C# application that has to get any modification in specific table with a SqlTableDependency the only way to access the database is by using an administrator account; is there a way to define any of the defined accounts to connect using Windows authentication for users to execute the app developed?
And many thanks.
You make this assertion about SqlTableDependency:
The only way to access the database is by using Administrator account
But that is not correct. ANY account can do this, no matter what kind of authentication it uses, if the required security permissions are granted. You will need to find out the exact permissions this item uses and communicate with your client about granting those permissions to their users.
At this point there's a good chance your client will get uncomfortable... they may not have realized what they were asking for! But that's okay. Now you can have a real conversation about what their needs are. Perhaps they need a special (sql-auth-based) service account for this. Or perhaps they want to change the architecture so this runs as a background task on the server. It doesn't matter: the important part is you and the client are now making better-informed decisions about the application.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 days ago.
Improve this question
I've written .NET WPF desktop app for Windows OS and now I'd like to restrict access to it only for signed in users. Additionally, some features of the application should be available only for users with certain type of priviledges (admin/regular user). The application will be installed on numerous machines so some kind of remote database should be used to store and manage users credentials (login, password and username) so that they could sign in to the application from anywhere.
What is the best approach to achieve that? I've read about Azure AD and it seems to be the most popular solution for authentication and accounts management, but are there any other (maybe better) ways?
If I use Azure AD, I also have to use MSSQl or is it possible to use other type of db?
And do I even need to create a database as I want only create/manage accounts and perform authentication operations?
I've read about Azure Active Directory and relational databases. For now I struggle with sorting all those concepts out. As far as I understand, Azure AD is used only for authentication and once the authentication is successful, user gets access to db with certain priviledges. What I need is to know if my reasoning is ok and I'd be grateful if more experienced people advise me what are the best practices to achieve my goal
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have a number of projects developed in WinForms. Despite looking around on SO and other areas I've not really found a satisfactory answer.
The projects make use of the app.config and are deployed to multiple users using ClickOnce. Each physical install on a users machine will have both the deployed application as well as the app.config. The app.config holds credentials for a restricted account for a database.
Is it possible to encrypt data such as credentials for a Db connection in WinForms that is deployed to the masses? Some users work on laptops offsite, so a network connection wont always be available. I'm just trying to find out what the best practices are for securing a WinForms application might be in this scenario.
Of course you can save the credentials as an encrypted string in your app.config. SO provides some good examples on how to use the System.Security.Cryptography.Rijndael symetric algorithm.
This of course requires the same key to encrypt and decrypt the data. That key will be stored in the source code, and .NET sourcecode is not really save, everyone with the ability to use google and use a program with more than one button will be able to find it in the decompiled code and thus, it's only slightly more safe than just having the password not encrypted.
Most important is, that the credentials your app uses to access the database are only allowed to do what the app needs, so not like using SQL Management Studio to oben the DB and being able to reconfigure everything (Saw that once at a customer).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm developing a ASP.NET MVC application that runs on one server. The server has user accounts.
The user accounts are not allowed to RDP to the server, but I want to give them a way to change their password through my website.
The website has a home page that anonymous users can see, also an account page that users have to use their windows credentials to log in and see, and there is a Forget Password button. If the users forget the password, I can reset for them.
The users go to my website through Internet.
Is Windows authentication able to allow anonymous access to some page? Is Form authentication able to read Windows account credential? Which way is easier in implementing my requirements?
In general, there is extensive information on ASP.NET MVC authentication types available.
The Problem with Windows Authentication is, that it's quite limited. You can't really have a "Forgotten Password" function with Windows Authentication, it's basically read-only access, but on the other hand, the easiest/fastest solution for Windows Intranet Sites. That's by design, users should change their password through Domain functions. Anonymous access is easy, for example, simply decorate a single method ("Action") or a whole Controller with the [AllowAnonymous] attribute.
Your most flexible choice probably is to use ADFS. It's best of both worlds. You can have a combination of Windows authenticated internal users, Forms authenticated external users (with Username/Password incl. "Forgot Password" function etc.) and anonymous access, as described here. But it's not the easiest way obviously.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
It doesn't seem like there is a definitive best practice for how to manage SQL Server connections from ASP.NET. Would be interested in hearing the pros and cons for the solutions below, and any others that are not listed. I haven't revisited this since IIS 7.5, so maybe there are better approaches at this point:
Use a virtual application pool identity (Virtual Accounts) and add it as a SQL Login.
Have the App Pool use a domain account for its identity. Set the same account as a login in SQL Server.
Have the asp.net application impersonate a domain account with information gathered from the registry. The app pool will use a virtual application pool identity. Add the domain account as a login in SQL Server.
1) pro: simple
con: if there are multiple web apps on the IIS server, they will all use the machine account to authenticate to a remote SQL instance.
2) pro: can give each app pool a distinct domain identity
con: password management
3) pro: none
con: insecure credential storage
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Can i restrict usage of an service user account to particular application by using any programming language? Means i created one service account with Domain administrator privilege to have a semantic backup or something, now how can i restrict users not use that service account for any other jobs/works. If any one uses that service account credential set i would like to have email intimation through any programming language.
You can be alerted when a logon-related event is recorded by attaching a "Send E-Mail" task to the event log of the DC. This way, when the server sees an authentication event coming in, it will e-mail you.
This page explains how to accomplish this step-by-step.
I'm not aware of any means of binding an account like you describe, but the easiest solution would be to prep some scheduled tasks running on that specific account, then keeping the credentials undisclosed to other people.