Using a domain ID other than logged-in user ?

Question

Background: historically, we've generally used SQL user IDs for applications (web, windows and console), keeping the connection strings encrypted in the web/app.config (local utility class).  Access is granted to developers via their domain ID, generally using SQL roles.

Now, here's the question/scenario... First: the desire to have security associated to domain ID's, leverage AD groups, easier maintenance and reporting, etc., etc...  Second: we don't want to actually grant access to end-users, especially where sensitive data is concerned, or where update access is required.  It has been suggested to use, let's call them 'dedicated, alternate' domain IDs in our SQL connection strings.  Like a SQL id, but using AD.

So, theoretically, we specify userid as "domain\app_userid" or app_userid@domain.com" and send the domain password along with the rest of the connection string.

I'm thinking that this isn't going to work.  That you either are a trusted connection (already authenticated signed-on user, or whatever), or you are a SQL userid.  Is there a way to do the alternate domain-ID connection?  Preferably without RunAs shortcuts.

Regards,
Bruce

 

Answer 1

Details: SQL2005, shortly (I hope) to be SQL2008R2; have tried

"data source=dev;initial catalog=home;User ID=domain\testuser;Password=testpass"

This throws an exception when trying to open the SqlConnection object

ex.message = "General network error. Check your network documentation."

 StackTrace "   at System.Data.SqlClient.ConnectionPool.GetConnection(Boolean& isInTransaction)
   at System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnectionString options, Boolean& isInTransaction)
   at System.Data.SqlClient.SqlConnection.Open()
   at WinAppTest.Form1.Form1_Load(Object sender, EventArgs e) in H:\Public\BEH\util-and-misc\CodeTester\Copy of WinAppTest\Form1.vb:line 112" String

I did actually try various things before resorting to posting a question.

Answer 2

Hello,

As far as I know you can only specify SQL Auth accounts in the connection string, the libraries won't do impersonation which is what you are talking about. Personally I would stay away from account impersonation, but I don't know your constraints.

If you wanted to use a different AD account as teh one that connects, you'll have to impersonate that account in your program before connecting so that you have it's security token. Again, I would not go this route.

I think what you are looking for is an application role.

Resource: App roles

-Sean

Answer 3

Sean,

It sounds like "account impersonation" is an accurate description.  I'm not enthusiastic about doing that, but if there are good reasons why it would be a bad idea, I'd love to hear them, because I'm expecting an argument on my end. 

The App roles sounded good, but it appears they have issues crossing databases, and we do have situtation which do that (and I know granting access to "guest" isn't going to fly), so I don't think that App roles are a viable option.

Thanks,
- Bruce

Answer 4

Bruce,

Impersonation brings its own problems to the table. For one, you won't be able to track which "person" would be connecting or making changes unless you added in your own code in the application to pass the original user information along. This effectively makes Auditing useless (inside of SQL Server) unless you roll your own. On top of that, account impersonation isn't always allowed at corporations due to the inherent security risks. What is to stop an end use from impersonating that account from outside of the application? What happens if someone who knew the password to that account left and it had to be changed? What if your security policy is that impersonated accounts need to have their passwords changed every 30 days?

Not that this would be the best way to do it, but assuming you have a stored procedure API style interface in your database, execution context can be used such as execute as user. I'm personally not a big fan of cross database styles as the norm rather than the exception. By that I mean if your model uses multiple databases constantly, taking the hit for cross database queries and etc, why not have them as different schemas in the same database? Obviously 3rd party products there isn't much you can do about, but I wouldn't use constant cross database talk as the standard.

To point back to your first requirement, what does impersonating a single account really get you? It doesn't get group based management per se, and if an end user would figure out the username and password they would have direct access to the database. Access to encrypted information would be done through the application I'm assuming, so you would have to create your own security inside of the application and outside of SQL Server, basically re-inventing the wheel.

What may work for you is if you use Active Directory groups, allow those groups to connect and assign the groups to a database role with only the access that they need. In order to access any of the sensitive information (say to update, etc) you could employ either another AD group to say only managers that could select/update/delete/etc through another database role (which they would belong to say the users and managers groups and as such get the higher of the two priv sets) and the stored procedure to access that information could even go one step further by checking assigned groups (though the users group wouldn't have access to this SP anyway so it wouldn't be possible for them to execute it per se). This would still allow auditing to happen natively, your first requirement is met becuase you can still exercise AD groups, and your second isn't quite met as they would have access to it, but only if they belonged to the group that had permission to.

Just some items to think about.

Resource: Account Impersonation

-Sean

Answer 5

When you log in to SQL Server, you can only log in as yourself, if you use Windows authentication. If you want to log in as someone else, that needs to happen before you log into SQL Server.

This can certainly be done in Windows, but if it is a two-tier application, is it not secure, since the password for the account is in the application.

To achieve what you are looking for, you need a third tier, one way or another.

If there is an application server, the server can log in as itself. It can then impersonate the actual user, so that you get complete auditing. Note that the users would not be granted access to SQL Server directly.

Another option is to put the application on a Terminal Server, and hide SQL Server on the network so that it is only visible from the Terminal Server machine. Users logs on to Terminal Server, and directly lands in the application and cannot get out with less than logging out. Users can now have access to SQL Server on their own, because the TS machine is the only way to get to the server.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se