|
Mycroft Holmes wrote: <layer>almost no one uses it. <layer>The normal design is for the application to have a SQL userid/password that is authorised to access the parts of the database required
You think SQL authentication is preferable to Windows Authentication in a production environment? Or did I misunderstand?
|
|
|
|
|
Nope you did not misunderstand, in over 20 years of database development I have only twice seen windows authentication used and they were both small organisations.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Ok, I have an even smaller sample size than you, but in 15 years of SQL/web development i have only once seen SQL authenttication used.
The wisdom passed to be by my elders was that windows authentication could be kept significantly more secure, primarily by centralising policies across (potentially) multiple instance of sql server.
Almost everywhere ive ever worked has specifically not installed sql with mixed mode security, making the use of sql authentication actually impossible.
Edit: this article seems to backup my claims above: http://databases.about.com/od/sqlserver/a/authentication.htm[^]
"Microsoft’s best practice recommendation is that you use Windows authentication mode whenever possible. The main benefit is that the use of this mode allows you to centralize account administration for your entire enterprise in a single place: Active Directory. This dramatically reduces the chances of error or oversight.
For example, consider the scenario where a trusted database administrator leaves your organization on unfriendly terms. If you use Windows authentication mode, revoking that user’s access takes place automatically when you disable or remove the DBA’s Active Directory account. If you use mixed authentication mode, you not only need to disable the DBA’s Windows account, but you also need to comb through the local user listings on each database server to ensure that no local accounts exist where the DBA may know the password. That’s a lot of work! "
Edit2: The general wisdom seems to be that if you support multiple platforms connecting to SQL, then SQL Authentication is your only option. If all clients are on a windows domain, use windows auth. (source: http://blogs.msdn.com/b/jjameson/archive/2007/03/23/sql-server-authentication-modes.aspx[^]).
Its certainly got nothing to do with company size or programmer experience!
|
|
|
|
|
Your arguments are perfectly valid right up until they meet the inertia of outsourced support where it can take 2 weeks to get a new user group creaded in AD. You need 15 pages of forms and 2 interviews to justify the group.
I need to respond to user requirements in hour (or quicker) not in days/weeks. And yeah I seen a multipage exit document signoff.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
So its basically your very specific situation which precludes you using the prefered method of security. This is totally different from what you originally said:
almost no one uses it
and
test/toy application use integrated security
|
|
|
|
|
Nope I tend to work for large organisations that have a huge amount of inertia. While integrated may be the preferred method I have never seen it implemented in a large organisatrion.
J4amieC wrote: very specific situation
I just finished arguing with IT so my example may have been a little narrow
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Mycroft Holmes wrote: There is a reason you rarely see question about integrated security in a database forum, almost no one uses it
In that case I've been a nobody for over a decade. I don't like adding passwords to authenticate a user that's already logged in.
Mycroft Holmes wrote: I have never seen anything but a test/toy application use integrated security.
"Therefore, it doesn't exist?"
Bastard Programmer from Hell
|
|
|
|
|
Eddy Vluggen wrote: I don't like adding passwords to authenticate a user that's already logged
in.
Why on earth would you need to do that. I have the user log in using active directories for authentication, then use those details to get the application specific authorisation. Meanwhile the application logs onto the database using a SQL userid/password (actually the WCF service logs onto the databse).
Eddy Vluggen wrote: Therefore, it doesn't exist
Nah probably just not commonly used! Actually that might be an interesting survey.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Mycroft Holmes wrote: Why on earth would you need to do that
Your users need access to an additional secret (the sql username/password). I'd say they're already logged in to the system. Where do you keep the secret? Your app needs access to it, so it's entered by the user or it's stored somewhere.
Mycroft Holmes wrote: Nah probably just not commonly used!
That doesn't make it a bad idea
Mycroft Holmes wrote: Actually that might be an interesting survey.
True
Bastard Programmer from Hell
|
|
|
|
|
Eddy Vluggen wrote: Your users need access to an additional secret
Of course not the Application has the credentials, either an encrypted string in the config file or hard coded inside the app. Users have already been authenticated when they log into the app using AD.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Is impersonation enabled?
|
|
|
|
|
Yes. I did went through all those procedures.
Vasudevan Deepak Kumar
Personal Homepage Tech Gossips
The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep!
|
|
|
|
|
if you can send it to my E-mail addres " firass2025@hotmail.com "
tanks .
|
|
|
|
|
.
"I need build Skynet. Plz send code"
|
|
|
|
|
Read the guidelines at the top of the page!
I advise this in the spirit of not being an a**hole and ripping you a new one!
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
What color? And should it be fitted nasally?
|
|
|
|
|
Just give him the one-size-fits-all version so he can fit it in a body cavity of his own choosing.
My advice is free, and you may get what you paid for.
|
|
|
|
|
I'll do better than that. I'll give you some sql here, and I'm assuming you are using SQL Server here.
DROP DATABASE insert_name_of_database_here
|
|
|
|
|
Nice but may have a permission problem
|
|
|
|
|
He has my permission to run it.
|
|
|
|
|
Quoted. Check it. xD
djj55: Nice but may have a permission problem
Pete O'Hanlon: He has my permission to run it.
|
|
|
|
|
No problem.
First, though, if you could also let me have your address, date of birth and bank account numbers I'll ship it straight out.
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair.
nils illegitimus carborundum
me, me, me
|
|
|
|
|
You are a grade one idiot.
|
|
|
|
|
Hi. I've been looking for specifics on this issue for the better part of the morning, but not seeing much help.
Here's what I'm working with (background): I'm building a data-driven console application in C# that needs to schedule the execution of one of many reporting queries that I have encapsulated within stored procedures within a SS2008 db. The stored procs actually exist on a server that is referenced as a linked server to our production db. The references to the stored procs are stored in prod (i.e. Prod database table holds the name of a stored proc that exists on REPORTING server, REPORTING is in the list of Linked Servers of Prod)
Let's say that I have 2 marketing campaigns that each have an "Outbound" operation and an "Inbound" operation. I have the campaigns stored in a reference table, I have the operations stored in a reference table, and I have the CampaignOperations stored in an associative entity that also contains the name of the specific stored procedure that holds the functionality of that campaign operation.
(contrived example):
Campaign1|Outbound|C1OutboundFoo
Campaign1|Inbound|C1InboundFoo
Campaign2|Outbound|C2OutboundFoo
Campaign2|Inbound|C2InboundFoo
What I am trying to create is a stored procedure that acts as a broker/adapter for the campaign Operations. I want to be able to pass in "Campaign1","Outbound" to the public stored proc and have it dip into the CampaignOperations table, pick up C1OutboundFoo, execute it, and adapt the result set to a canonical representation for the calling client.
So, all that said, I am having a bit of trouble figuring out how to get the results from one stored proc back into the broker for it to adapt to the canonical. I went the route of calling openquery, but I found from the documentation that you cannot pass a variable into OpenQuery...which is what led me back to the drawing board.
Help??
"I need build Skynet. Plz send code"
|
|
|
|
|
Ok...so I'm still working through this scenario, and I've run across a possible lead to accomplish what I desire. If anyone has any feedback into the following approach, I would appreciate it.
My application has a singular entry point into the database. For now, let's call it "ExecuteCampaignOperationLogic" that takes in 2 parameters: campaignName, OperationCode.
Production Data Model:
create table Campaign
(
CampaignName varchar(50) Constraint PK_Campaign PRIMARY KEY,
CampaignMission varchar(max)
)
insert into Campaign(CampaignName, CampaignMission) values('StarTrek','5 year mission to
explore new worlds. To seek out new life and new civilization');
create table Operations
(
OperationCode VARCHAR(30) CONSTRAINT PK_Operations PRIMARY KEY
)
insert into Operations(OperationCode) values('EngageWarp');
insert into Operations(OperationCode) values('ComeInPeace');
insert into Operations(OperationCode) values('ShootToKill');
create table CampaignOperations
(
CampaignName VARCHAR(50),
OperationCode Varchar(30),
[Procedure] VarChar(max),
CONSTRAINT FK_Campaign_CampaignOperations FOREIGN KEY (CampaignName) REFERENCES Campaigns(CampaignName),
CONSTRAINT FK_Operations_CampaignOperations FOREIGN KEY (OperationCode) REFERENCES Operations(OperationCode),
CONSTRAINT PK_CampaignOperations PRIMARY KEY (CampaignName, OperationCode)
)
insert into CampaignOperations('StarTrek','EngageWarp', 'Reporting.StarTrekWarpAlgorithm');
insert into CampaignOperations('StarTrek','ComeInPeace', 'Reporting.StarTrekConTheLocals');
insert into CampaignOperations('StarTrek','ShootToKill', 'Reporting.StarTrekTakeMoneyAndWomens');
So...I want "ExecuteCampaignOperationLogic" to take the CampaignName + OperationCode into the CampaignOperations table, pull the appropriate Procedure name, execute it, receive the returned resultset, adapt the results to a canonical representation of the Campaign data, and toss back to the calling client, which will be responsible for mapping this data to a Business Object.
Here's what I'm trying:
CREATE PROCEDURE ExecuteCampaignOperationLogic
(
@CampaignName varchar(50),
@OperationCode varchar(10)
)
AS
BEGIN
DECLARE @PROCEDURE varchar(100)
SELECT @PROCEDURE = [CampaignOperations].[Procedure]
FROM [CampaignOperations]
WHERE CampaignName = @CampaignName
and OperationCode = @OperationCode
CREATE TABLE #foobar
(
foo varchar(10),
bar varchar(10)
)
INSERT INTO #foobar (foo, bar) exec @PROCEDURE
SELECT * from #foobar
END
...anyone see any potential for this technique?
"I need build Skynet. Plz send code"
modified formatting on Wednesday, June 29, 2011 12:55 PM
|
|
|
|