[英]IIS and SQL on separate servers - how do you setup a user account for .net app?
Is there a site with details on how to setup a web .net app hosted on IIS requiring access to a db on a remote server? 是否有网站提供有关如何设置IIS上托管的需要访问远程服务器上的数据库的Web .net应用程序的详细信息? I can do this when both IIS and SQL Server are on the same box, using AppPool user...but don't know how to do this when the SQL server is remote.
当IIS和SQL Server都在同一盒子上时,我可以使用AppPool用户来执行此操作...但是当SQL Server处于远程状态时,我不知道如何执行此操作。 Our setup: AD, both SQL Server and IIS servers are in same domain,IIS 7.8 and 8,SQL 2008 and 2012,Databases to be accessed by >1 IIS server.
我们的设置:AD,SQL Server和IIS服务器都在同一个域中,IIS 7.8和8,SQL 2008和2012,数据库由> 1个IIS服务器访问。 IIS is anonymous access
IIS是匿名访问
Is the most secure method to contune to use an app pool user on IIS, and to create a user on SQL with domainname\\machinename$ Would I be right in thinking that this would work as the app pool user uses machinename$ Thus both IIS and SQL are using machinename$? 是最安全的方法,可以调配在IIS上使用应用程序池用户,并在SQL上使用domainname \\ machinename $创建用户。我是否正确地认为这将在应用程序池用户使用machinename $时起作用?因此,IIS和SQL正在使用machinename $?
There are really 2 methods to do this: 确实有两种方法可以做到这一点:
1) Use SQL server authentication. 1)使用SQL Server身份验证。 Create a SQL user and use a connection string in the following format for SQL 2012:
创建一个SQL用户,并对SQL 2012使用以下格式的连接字符串:
Server=myServerAddress;Database=myDataBase;User Id=myUsername; Server = myServerAddress;数据库= myDataBase;用户ID = myUsername; Password=myPassword;
密码= myPassword;
2) Use mixed mode authentication and authenticate as a Windows user. 2)使用混合模式身份验证并以Windows用户身份进行身份验证。 Your connection string would look like this:
您的连接字符串如下所示:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True; Server = myServerAddress; Database = myDataBase; Trusted_Connection = True;
You'd first go onto the web servers and create a Windows user. 您首先要进入Web服务器并创建Windows用户。 Remove it from the domain users group.
从域用户组中将其删除。
Then you'd go into SQL, add the user you're trying to connect with to the list of users, then grant read/write to the database you're trying to access. 然后,您将进入SQL,将您尝试连接的用户添加到用户列表,然后对您尝试访问的数据库授予读/写权限。
If you go with this method, you'd set your app pool to run as the user you created and then add that user to the IIS_WPG group if you're running Windows 2003 or to the IIS_IUSRS group if you're running Windows 2008 or later. 如果使用此方法,则应将应用程序池设置为以创建的用户身份运行,然后如果正在运行Windows 2003,则将该用户添加到IIS_WPG组,如果正在运行Windows 2008或Windows Server 2003,则将该用户添加到IIS_IUSRS组。后来。
Either one of these methods are perfectly acceptable. 这些方法中的任何一种都是完全可以接受的。 If you're running the webservers in the DMZ (not in your Windows domain), you'll want to go with option 1. If the webservers are in the domain, some would argue that option 2 is marginally safer because you're not storing the password in plain text, but you could still do option 1 if you felt like it.
如果您要在DMZ中(而不是Windows域中)运行Web服务器,则需要使用选项1。如果Web服务器在域中,则有人会认为选项2稍微更安全,因为您没有以纯文本格式存储密码,但是如果您愿意,仍可以执行选项1。
Also, here's a pretty good site with a list of formats of connection strings for various versions of Windows/.NET/SQL: 另外,这是一个非常不错的网站,其中列出了各种版本的Windows / .NET / SQL的连接字符串的格式:
https://www.connectionstrings.com/sql-server-2012/ https://www.connectionstrings.com/sql-server-2012/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.