How to capture a user's Active Directory userPrinicpalName when they login with Windows authentication, and then compare that to a SQL Server table column in C#?
Any ideas would be much appreciated.
Check out this page to get the Windows username: How do I get the current username in .NET using C#?
From there you would need to write a sql query that would look up the username.
cmd.CommandText = $"SELECT* FROM table WHERE columnName='{WindowsIdentity.GetCurrent().Name}'"
You may need additional using statement to use WindowsIdentity. Add using System.Security.Principal to where this method is being used.
Related
I have a trigger set on SQL table for Audit Trail purpose.
Here is the trigger code.
ALTER TRIGGER [dbo].[tri_bowzer_UPDATE] ON [dbo].[Bowzer]
For Update
AS
INSERT Table_Audit(TableName, Action, UserName, ComputerName)
SELECT
'bowzer', 'U', suser_sname(), host_name()
It works fine and shows the username and the computer (client) name in Desktop applications. but in ASP.NET applications, I use a common SQL login so that database operations can be performed using this login. I understand that SQL Server is getting server machine name because of this ID. However, I want to capture the client machine name whenever a database operation is performed.
What changes can be made to get client machine name??
You need to tweak your connection string to specify the connectionstring property WSID (Workstation id) as below
string strconn = "data source=SQLSERVER;initial catalog = DBNAME ; uid=sa;pwd=password; WSID=" + (System.Net.Dns.GetHostEntry(Request.ServerVariables["remote_addr"]).HostName);
and then you will get HOST_NAME() value as client machine name in your trigger
MSDN : http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring.aspx
You can set the client's IP address using T-SQL SET CONTEXT_INFO, and retrieve this data in the trigger using the CONTEXT_INFO function.
This design is not really suitable for what you are trying to achieve. I'd consider adding updated by column in your database where you can store user id or machine name of a user who updated data.
This way you'll keep the trigger logic simple and avoid too many connections to your database that might degrade performance.
IN localhost insert statement WORKS PERFECTLY ( insert data in database sql management server) but from web server it doesn't ( update, delete works but not insert).
I am using sql connection , string str = insert into dtbase.dbo.candidat values ().
command cmd = new command (sql, connection)
Can someone please tell me why it doesn;t work from wb server ( I am using web application.) do i need to add some permision in web.config?
To determine if this is a permissions issue (which I think it is) or not then temporarily (this is for the down voters out there) enable ASP.Net Impersonation by using an account that you know has access to your network and SQL Server instance: http://support.microsoft.com/kb/306158
Based on the other comments, I agree that it sounds like a permissions issue.
You may be getting the error using database.dbo.table because your table was created under a different schema (ie. database.user.table) and you're trying to access that schema from a user that doesn't have permissions to that schema.
Does your connection string change from localhost to your production server?
I started to use ADO.NET for 3 days and want to make a program that can control if UserID and Password is suited with it's database value or not .The point is that i am confused about control all UserID and Password rows to suitable.Must i control UserId and password one by one with a loop or is there any sql command to make this.Thanx..
Are you doing this to learn or for production use?
If it is for production use I strongly advice you to look into using the ASP.NET Membership provider instead of building your own security system. It is thoroughly tested and known to be secure.
If it is to learn then you should write a suitable SQL statement. One way to do it efficiently with one query is:
SELECT 1 FROM Users WHERE UserId='GivenUserId' AND Password='GivenPassword'
That will give you one result row back if there is a successful match, or no row back if either user name or password is wrong.
BTW, I suggest to do not store password in DataBase in plain text, use simple MD5 helper to store MD5 hash of password and just compare hash instead of password itself
I am always doing the following Login module:
Create a table with Username and Password
Login by checking the user table.
So how do I use integrated Login just like the application like Sql Server? I don't mean by passing a connection string, I mean it will check the credential of my application without putting any username and password.
Thanks
EDIT:
I don't mean the SQL Server integrated Login, I mean my application's integrated login, is it possible?
For example, my application will read the AD's name and compare to the current username, then I don't need the user to type in a password for my application.
I am not sure how do I do that and where to start, since if I search Integrated Login, 99.9% of the results from Google will give me the connection string, which I am not looking for that.
[This answer assumes that you're on an Active Directory domain]
Are you using active directory windows authentication? If this is the case you can use the integrated security option in the connection string.
Here's an example connection string using integrated security:
"Data Source=MyServer;Initial Catalog=db name;Integrated Security=True"
This would reduce the complexity allowing you to forget about having to ask the user for a username and password because it'll pick up the windows credentials that they've logged into the workstation with.
Edit:
If the application is a website then you'll need to set the SQL server as "trusted for delegation" in active directory (see http://msdn.microsoft.com/en-us/library/aa905162(SQL.80).aspx). This will allow the webserver to delegate the user's windows login credentials to the SQL server. If you don't do this then the SQL connection will be anonymous.
Assuming that your application will be running with Active Directory on the local network I think there are a few options, depending on how do you want to implement authorization.
If you want/need to do authorization with some custom rules/logic then the first thing you need is to determine who ran the application:
Environment.UserName in conjunction with Environment.UserDomainName will give you enough information;
Alternatively (and more secure) you have use the following code snippet:
AppDomain.CurrentDomain.SetPrincipalPolicy(
System.Security.Principal.PrincipalPolicy.WindowsPrincipal);
var identity = Thread.CurrentPrincipal.Identity;
From the identity you can extract Security Identifier which is designed to be globally unique. (But not that pretty as domain\username pair.)
After getting current user's name you can apply whatever authorization rules you want.
I am deploying a Windows Application that uses SQL Server 2005. The program will use SQL Authentication.
My question is, how do you handle the connection string when you don't know what the username/password will be? Do you load this from an encrypted file? Or are there provisions for handling this already?
If the user will provide their login details (username and password) then you just need to provide the ability to enter them in your app, e.g. show a dialog asking for these details. You can then use those values the user gives to build the connection string in your code.
Alternatively, if all your users are going to be using a single SQL account to connect then you can put the connection string in your app.config file using encryption if you want to hide it from your users, see cmsjr's answer for an example of how to do this.
Alternatively, if you're developing this on an internal domain (intranet) then switch your database to integrated security and put your users domain accounts into the relevant access group on your database server. Then you won't have to worry about collecting username or passwords at all.
If the enduser will provide the password you don't need to do anything, dont save the usernamne/password in the config file.
If you don't want the end user to provide the password you could put it in the config file at installation. But that could be a problem if the username needs to be changed and you have encrypted the connectionstring.
Encrypting sections of the configuration is not as simple for a windows app as for a web app, but it is certainly doable. Here's a sample.
Just make sure to check the username/password for "weird" characters that the user might enter. The last thing you want is for them to change around your connection string. Then basically you just specify the driver (if using ODBC), the database, the server, but leave all the username/password and trusted connection info out. Then just tack on username= and password= which will be set equal to what was entered by the user on the end. However watch out for semicolons. I've never tried to see what happens if there is both a username/password and a trusted_connection = true.