EF Code First如何正确设置数据库凭据

Question

I have developer MVC4 + EF Code First + SQL Server 2008 web app. Uploaded it to prod server with IIS7. Created new credentials PC . Added empty database PCDB to SQL Server and assigned user PC to it with owner permission. When I run web app I get error

Model compatibility cannot be checked because the database does not contain model metadata. Model compatibility can only be checked for databases created using Code First or Code First Migrations

My connection string is

data source=174.xx.x.x;initial catalog=pcdb;user id=pc;password=xxxxx;

The exception is understandable, I can delete PCDB database and let EFCode First create it by itself. But how about credentials PC ? I do not want to make PC user as administrator but without it EF Code First will not be able to create new database in SQL Server.

How to solve the problem?

Answer 1

The overall design starts with Forms or Windows authentication at the WebsiteASP.NET/ IIS. and ends with Application and DB authentication you want/need. Application authorization is another topic. I will not discuss that here.

You dont actually state the authentication model desired. So I will start with a disclaimer. This a suggestion that I WOULD use in a production site. But it is not the ultimate end game nor is it the ONLY short term solution you might consider.

This is a solution that a one man show can get working . And is secure and without excessive admin effort to keep running.

Use SQL server logon via Windows Auth BUT you do not need to add every user to SQL server.
There is also the option of impersonation. But that can get tricky and this explanation is not NOT impersonation. That is another another approach.

first make sure Website is using Windows Authentication

set IIS to use Windows Authentication:

Now the APP Pool behind the website on IIS you have configured. .

Im going to suggest a Psuedo-service user in the APP pool as a good way to start . ie WEBAPPLICATION_X_USER. You can have a separate user per APP pool. Each user can access only its DB. So you get application separation. Your enter a user and password here. IIS will encrypt and decrypt as required. (better than plan text in Web.config)

This user should have reduced auth on the server itself. NOT AN ADMIN user on domain or even local admin. Just enough so it can use Sql server to create a DB. So create a regular windows user

Let ASP.Net logon to DB. Let ASP.net encrypt and decrypt the password.

So now the situation is Windows AUTH on IIS. IIS has an App pool with a special windows user that can logon to SQL server. You have added this user to SQL server instance and Allocated this service user the ability create DBs. Dont give the user access to ALL Dbs :-) Just the one it will create. Plus public access (via EF).

Verify the user credential situation in your WEB APP. See [System.Security.Principal.WindowsIdentity] This should show your windows authenticated end user.

System.Environment.UserName should have the service user ID you placed in the IIS APP POOL.

Now when EF goes to create or access data on the SQL server instance, it will connect with System.Environment.UserName if the WEB.CONFIG entry is set to use windows integrated security

<connectionStrings>
<add name="DbContextName" connectionString="Data Source=Your SQL server Instance;Initial Catalog=The DBNAME;Integrated Security=True;MultipleActiveResultSets=True;App=EntityFramework" providerName="System.Data.SqlClient" />

And you KNOW the authenticated user . httpContext will give it to you as does thread current principal . HttpContext.User is by default mapped to {System.Security.Principal.WindowsPrincipal}

So you can perform application level checking. The same approach should also work with Forms Authentication .

WARNING: If you have windows WPF approach (ie you are not using IIS and therefore no APP pool), then this approach MUST be changed and is more complex and no longer the best place to start.

I hope this helps you get started