IIS and SQL on separate servers - how do you setup a user account for .net app? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 2 years ago.

Improve this question

Is there a site with details on how to setup a web .net app hosted on IIS requiring access to a db on a remote server? I can do this when both IIS and SQL Server are on the same box, using AppPool user...but don't know how to do this when the SQL server is remote. Our setup: AD, both SQL Server and IIS servers are in same domain,IIS 7.8 and 8,SQL 2008 and 2012,Databases to be accessed by >1 IIS server. IIS is anonymous access

Is the most secure method to contune to use an app pool user on IIS, and to create a user on SQL with domainname\machinename$ Would I be right in thinking that this would work as the app pool user uses machinename$ Thus both IIS and SQL are using machinename$?

Answer 1

There are really 2 methods to do this:

1) Use SQL server authentication. Create a SQL user and use a connection string in the following format for SQL 2012:

Server=myServerAddress;Database=myDataBase;User Id=myUsername; Password=myPassword;

2) Use mixed mode authentication and authenticate as a Windows user. Your connection string would look like this:

Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;

You'd first go onto the web servers and create a Windows user. Remove it from the domain users group.

Then you'd go into SQL, add the user you're trying to connect with to the list of users, then grant read/write to the database you're trying to access.

If you go with this method, you'd set your app pool to run as the user you created and then add that user to the IIS_WPG group if you're running Windows 2003 or to the IIS_IUSRS group if you're running Windows 2008 or later.

Either one of these methods are perfectly acceptable. If you're running the webservers in the DMZ (not in your Windows domain), you'll want to go with option 1. If the webservers are in the domain, some would argue that option 2 is marginally safer because you're not storing the password in plain text, but you could still do option 1 if you felt like it.

Also, here's a pretty good site with a list of formats of connection strings for various versions of Windows/.NET/SQL:

https://www.connectionstrings.com/sql-server-2012/