Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Professional
Password Reminder
Register
| FAQ | Members List | Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old March 4th, 2007, 02:25 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default how to setup .mdf password to link to config str

I'm looking for a "cookbook" explanation of how to set up a SQL Express .mdf file password in order to link it to a configuration string password. I think I understand most of what's going on on the config string side, and I see that it's possible to create an mdf password using T-SQL (but only at DB Create?)...but I don't see yet the complete link up between the two. Some specific questions are:
1) Can I set up the .mdf password -after- I've built the DB? Or does it have to be done during "CREATE" for the DB? (the latter would be not good, since my DB is all built...)
2) What does the "UserID" keyword in the config string have to do with all this? Is it necessary to have a "UserID" in order to use a Config string / mdf password. If so, where does the UserID get set in the mdf?

I'm hoping there's an article that puts the two sides together...so far all I can find is things within the SQL world and things within the config string world...the "glue" language seems to be about accounts and identities and such and just doesn't come together for me.

Any help with this would be appreciated.

Thanks!
  #2 (permalink)  
Old March 4th, 2007, 04:01 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Through the management tools provided in SQL Server Studio Management Express you can setup your users through which have access to databases.

The UserID portion of a connection string is the UserID you are using to Log into sql and it is under that account that commands will be executed.

You can setup your connection string without a userID and password and specific that a trusted connection should be used and this article explains the prinipals behind setting up that connection (albeit, for SQL Server 7/8)
http://aspnet101.com/aspnet101/tutorials.aspx?id=23

hth.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #3 (permalink)  
Old March 4th, 2007, 07:25 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the input. Hmmm....

I'm clearly missing part of the big picture here...

My prototype website is using SQL Express and ASP.NET 2.0. My configuration strings say "Integrated Security = True" and do not have user id's or passwords. Works fine.

I only want my database to be accessed through ASP.NET (well, except for "offline" housekeeping) and SSMSEE shows ASPNET is a user for the Server.

So, part of what I'm missing is: under what circumstances I would want or need a user id/password at all in my configuration string?

>>> it is under that account that commands will be executed.

I can see that this might correlate the config string user to permissions on the actual file itself...maybe...is that why I might want a userid/password?

Other reasons?

  #4 (permalink)  
Old March 4th, 2007, 07:54 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

The reason you would use a username and password is there may come a time when you are not able to configure the connection string as integrated security or as a trusted connection, for example, when you dont have control over both the webserver and SQL. In that instance you will almost certainly have to use a username and password.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #5 (permalink)  
Old March 4th, 2007, 08:01 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you very much for the input. Each piece of information helps me get a clearer picture of how these pieces fit together, and that was a big "click". Since there's no end to application of security features, it's a big help to know when to stop trying to add more. For my "phase 1", I'll have complete control, so I can put away the web.config encryption issue for now...and when I get past phase 1, hopefully I'll have help. Danke!
  #6 (permalink)  
Old March 4th, 2007, 08:08 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

No problem. A word of warning, verifiy that the account that your database commands run under has restricted permissions. E.g. the account shouldn't have database administrator rights and such. (In this case, an evil doer could execute SQL Injection attacks with potentially harmful code. Think DROP TABLE or TRUNCATE TABLE)

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #7 (permalink)  
Old March 4th, 2007, 08:49 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for that input. Ah, setting aside the web.config encrypt issue, this is another generally fuzzy area for me: "the account that your database commands run under." I think the confusion is that in my mental model "the account" is ASPNET, which is the interface to my app code, which is what executes the SQL commands. I'm not seeing how it could be another "account" (which I'm coming to understand is synonymous with "user" and "identity"); but if it is, where is that account specified/determined? If it's ASP.NET, then is the suggestion to not let ASP.NET have database administrator rights?

Thanks for your time on this...
  #8 (permalink)  
Old March 4th, 2007, 10:59 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

That i don't know in regards to which account is actually executing commands against your database as I have not worked with SQL 2005 much. In SQL Server 2000 when i configure a trusted connection, however, I determine which account the trusted connection will run under.

By and large, whatever account you set up to run commands, should only ever have the permissions necessary to make your application work and giving that account admin rights to the database is a big no no since those rights allow that account to perfom ANY SQL related task.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #9 (permalink)  
Old March 4th, 2007, 11:08 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for that input. I also got second confirmation on your last post, which put into perspective why I need to have a userid and password in the connection string...it will force the use of a particular user, which then makes it possible to constrain permissions, per your note above. (Crunch! Sound of biting the bullet) Yeah, it makes sense now, there's absolutely no point in trusting that I can screen the SQL attacks through the app input fields well enough to disregard this. So then it gets down to just the issue of encrypting config strings, and there seems to be a lot of documentation on that. This thread has been a big help in terms of getting me to think through these different user/account/identity objects, what they do and why. So, muchos gracias!
  #10 (permalink)  
Old March 4th, 2007, 11:11 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Denada mi amigo.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sql server reporting service smtp password config sunarcteam Reporting Services 2 October 17th, 2015 11:37 AM
web.config vs. app.config darlo Visual Studio 2005 11 August 20th, 2008 07:23 AM
Get password value from aspnetdb.mdf rsearing ASP.NET 2.0 Basics 8 October 12th, 2007 09:12 AM
Config error--machine.config sunithavasudevan ASP.NET 1.0 and 1.1 Professional 2 October 10th, 2006 07:14 AM
Thinking how to link password to my previous passw parms3000 ASP.NET 2.0 Basics 0 December 2nd, 2005 07:11 AM



All times are GMT -4. The time now is 04:39 AM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.