I have been created an asp.net web api with a sql server running on MS SQL server. I have uploaded the sql database to azure, then I have added the asp.net web api to azure too. I then edited the connection string (find it below) inside the web.api file to point to the sql server database currently on azure. I have not been added to access the database through the web api
I have tried accessing the sql database using a local client and I am able to access the database. I havee also tried accessing the web api and I have been able to load some pages.
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=floshopadmin;Initial Catalog=FloShop;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
Your connection string is using "Integrated Security".
Most likely your database was setup to allow access to your Windows User account.
The ASP.NET process in Azure isn't going to be running under that account.
Create a new User on the database and use the credentials from that user to connect instead of "Integrated Security".
Related
Okay so I have a Web API I am making for talking to a SQL Azure database and following this tutorial here: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-security-tutorial
I get to the section I already know on how to copy the Azure connnection strings and there are ones like this(ADO.NET):
Server=tcp:{myDatabase}.database.windows.net,1433;Initial Catalog=Expenses;Persist Security Info=False;User ID={your_username};Password={your_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
I know I have to provide my credentials and I can put them in and get the API to work just fine. My question is how do I protect this string if I save it to GitHub or under source control? In the past with .NET I did a method with a protected configuration as shown here:
https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files
Basically something like this:
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>{long ciphered value}</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
I was attempting to potentially extend services off of something like this article: Encrypted Configuration in ASP.NET Core
However I am using Azure and I know that mixing Azure into the mix gives you some other things to do as well. Are there any suggestions by people that have used Azure Databases on how they secure their connection string or at least a link to get me started?
I guess that you are using Azure Sql Authentication ( which needs a username and password) or Azure Integrated Security with password, that's why you are concerned about protecting the credentials.
If there is an option I would suggest to use Azure Integrated Security(equivalent to Windows integrated security) which avoids exposing the user/service principal credentials in connection strings. It just needs that account in azure active directory.
If this is not an option to consider we can look for storing the connection string in Azure Key Vault and retrieving it dynamically for establishing database connection.
If you are using Azure App Services there is another way of securely storing your connection strings (and other application secrets). In the Azure portal you can add these settings in the dashboard for your app service, under 'Application settings'. When you scroll down you will eventually come across the 'Application settings' and 'Connection strings' headers. As stated on the dashboard these settings are encrypted at rest and transmitted over an encrypted channel.
In my web app which is hosted as an Azure App Service, I have the following in my web.config for testing:
<connectionStrings>
<add name="ProductionConnection" providerName="System.Data.SqlClient" connectionString="Data Source=tcp:something.database.windows.net,1433;Initial Catalog=DatabaseName;User Id=admin#sssdddr;Password=Pass#word1;Trusted_Connection=False;Encrypt=True;Connection Timeout=30; MultipleActiveResultSets=True" />
</connectionStrings>
I'm trying to follow some basic security best practices here, so I've moved my connection string up to the Application Settings section of my web app:
This particular setting is a bad example because ideally I'd only ever have ProductionConnection stored in Azure and never used locally - but for other connection strings and appSettings used both locally and in production that should should be protected, how should I handle the values when developing locally?
if you're looking for securing secrets/connection strings from developer, go for Azure Key Vault which is designed to secure all your secrets from everyone. Each secret will be exposed as a URI to end developer to consume via REST.
for this, you need to register your application with Azure AD as KeyVault would request for AD Token to provide secrets.
I mean the connection string value / app setting should not be baked
into the application's bin directory
Connection strings are normally located inside web.config file. web.config will never be inside bin folder; we normally place it inside application's root folder.
I believe you mean storing sensitive information like username and password to access SQL Server. You cannot hide connection string and settings from developers who is debugging the application.
In corporate environment, we (developers) use Windows Authentication to access SQL Server.
I need to build a RESTfull web service using OAuth, bearer access_token and refresh_token. Authentication and authorization should be done by checking existing sql db.
The web api template, provided by VS2013 writes/reads in/from its own local sqlexpress db by this connectionString:
connectionString="Data Source=(LocalDb)\v11.0;AttachDbFilename=|DataDirectory|\aspnet-WebApiTest-20150423094253.mdf;Initial Catalog=aspnet-WebApiTest-20150423094253;Integrated Security=True"
After hours of googling, I just got tutorials and examples, which do not match with my issue.
So how can I bind my db into the project for authentication/athorization?
i have created a default MVC 4 app with web api. so far i have added a few API calls.
i would like to use the out of the box membership provider with no customization.
on my local machines i have added two users and added two user roles.
in the api i have added [Authorize] attribute for the API calls class.
It works well and prevents calls to API if the user is not logged in.
However, when i deploy the app on to Amzaon Beanstalk the Register and Login functions are broken. I am getting
Error. An error occurred while processing your request.
in the web.config of the application i have:
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=(LocalDb)\v11.0;Initial Catalog=aspnet-UserListsActionsTest-20131103214231;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnet-UserListsActionsTest-20131103214231.mdf" providerName="System.Data.SqlClient" />
</connectionStrings>
Also, i have gone to the properties of the project and set "Items to deploy" to all files in this project.
should that not be enough? do i need to create a SQL db on beanstalk?
would greatly appreciate some help.
In my experience, I've used Amazons RDS service to create a SQL Server instance and point my connection string to that in which I'll run all of my Migrations to that database. That or you can point it to whatever SQL Server instance you have with the appropriate connection string.
You can then call update-database and have your Users / User Roles created in the Seed() method.
FYI: You may need to configure certain ports/permissions within the RDS instance to be friendly with the Elastic Beanstalk instance. (Think about security groups)
I would also download the AWS Toolkit for Visual Studio as it'll help get you setup with the database connection string and the ability to publish straight to AWS Elastic Beanstalk.
I'm working on an exercise and i want a help. So far I have to created an MVC4 Internet Application using C# and uploaded it to azure as a web site (custom create with sql server). Now I want to create a web service to use the same database that my web application is using. How I can do it?
I found an option when you create a new project (C#->Cloud Project-> Windows Azure Cloud Service)
Note that then i want to use the web service with workflow based service
Thank you
Connections to SQL Azure are just Connection Strings. This isn't any different than creating applications on premises or hosting them elsewhere. Get the connection string of your existing Azure SQL Database and then use that when setting up your database calls in your web service project. You can get the connection string from the Windows Azure Management portal. Dig down to the database and there will be a Show Connection Strings option on the dashboard page for the database. See this documentation if you aren't familiar with working with connection strings Azure SQL: http://msdn.microsoft.com/en-us/library/windowsazure/ee336282.aspx
Note that Azure SQL Databases do not support integrated windows authentication, so the connection string will contain the username and password. You may want to look into securing that information in your configuration.