Just curious as to best practice for managing db access from an asp.net web application. We were currently putting the username and password in the web.config, but this wasn't good enough internal security (obviously), so I decided to use a windows domain user instead by modifying the web.config to use windows domain, and then adding the user to the app pool identity. This all works fine, but what happens when the domain user's password changes? Does that mean that all the webapps that use this user's identity in app pool will require the password change too? This would be an IT nightmare. Does anyone have suggestions on best approach for allowing webapp to access database without exposing password and without having to update passwords in all webapps if the password changes? Thanks
How to manage passwords for database access from an asp.net website
1.5k views Asked by u84six At
2
There are 2 answers
3
Glenn Ferrie
On
I would recommend using SQL Mixed-mode Authentication and using a SQL account for your app. The username and password in the web.config and encrypt that section of the config file.
Here is some information about configuration encryption.
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx
Related Questions in ASP.NET
- Implementing Azure AD B2C Authentication in .NET 8 Blazor Project (RenderMode: InteractiveAuto)
- Azure Application Insights Not Displaying Custom Logs for Azure Functions with .NET 8
- IIS Rewrite Module exclude bots but allow GoogleBot
- Angular 16 sending null values to API
- I am the domain admin, newbie, how do I connect youtube.com on my domain?
- Dropdown list showing SQLServer2005SQLBrowserUser$DONSERVER instead of Active Directory group name in ASP.NET MVC C#
- ASP.NET Identity, Losing Ability to Login until Application Pool Recycles
- How to unprotect ASP.NET FormAuthentication cookie
- How does it work using ASP.NET FormAuthentication
- What is the purpose of a completely standalone 'this'?
- Is there a way to read .csproj PropertyGroup variable in c#
- MSBuild trying to copy different dll with similar name into project sporadically
- Minimizing IdentityServer4 Round Trips in Microservice Architecture with Ocelot
- Azure AD guest account in web app authentication user claims data
- Receiving 400 bad request on post when customer auth handler is used
Related Questions in IIS-7
- Wildcard SSL certificate with IIS webserver type Can it be used on Linux servers using Apache?
- Powershell script running fine when running locally but when hosted on IIS server it is showing empty output
- Getting this issue while trying to host flask application on IIS
- Not getting any output of a query when hosted site on IIS server but it is running fine on windows powershell
- ApplicationInitialization expected Url path format
- How to URL Rewrite in IIS to URL encode incoming requests that have unencoded characters?
- ASP.NET Core MVC and Web API on the same IIS server
- Remove-WebConfigurationProperty not removing file extension in request filtering section of IIS
- Using APPCMD to clear the set of custom error definitions
- windows server with IIS everytime upload a image need to set manually permission to full control to read the image with URL,
- Bind IIS to hostname (internal computer name)
- IIS7 url rewriting results in 500 internal server error
- SSL validation fails for w3wp inter-process requests
- How to disable direct access to web resources for ASP.NET MVC projectcs
- How to set CORS access-control-allow-origin = * on site?
Related Questions in WEB-CONFIG
- Log to Dynatrace using Serilog and web.config .NET Framework API
- trying to get value from secret file .NET 4.8 (VB)
- .NET Core : disable parent application web.config inheritance
- IIS URL Rewrite 2 different URLs in one Rule using Conditions, is it possible?
- Azure web App is ignoring web.config URL rewrite
- CustomHeaders specified in web.config in angular application not reflected in response
- HTTP Error 413.1 - Request Entity Too Large issue
- ASP Net Core IIS error on any settings. Webconfig AspNetCoreModuleV2 problem?
- Web.config transform not being performed in .NetCore 6 webapi service
- Override machine.config's config section in web.config
- web.config oldsite to newsite 301, domain/root to new page AND old pages to oldpages
- Error deploying .NET Framework 4.8 project on Windows Server 2019: "targetFramework" attribute issue
- Web.config transfor is adding 
 How to ignore linebreak during transformation
- web.config - How to serve jpg/png as webp and avif if exist in IIS web.config?
- Illegal characters in path on http request
Related Questions in CONNECTION-STRING
- vb.net connection string to a regular google drive
- How can I run my C# app using a SQLConnection to SQL Server with Windows Authentication in a PC not joined to domain?
- Using multiple connection strings in blazor 8.0
- Azure App Service Connection String Not Working
- Protect appsettings.json in net core
- Fetching json data from MongoDB returns an empty array instead of actual data
- Visual Studio Debug SQL Server Connection String - "SSL Provider, error 0 - The certificate chain was issued by an authority that is not trusted"
- How to use a unified connection string to Docker container SQL Server from both local host and another container?
- Powershell and SQL Connection String Error
- How to establish a connection with SAP ABAP workbench with SSIS
- Azure CI/CD Deployment: Challenges with Database Schema Updates and Connection String Management
- API Testing / DB Connections in Angular17
- Unable to connect to mongoDB using connection String in apache camel
- Multiple Active Result Sets vs MultipleActiveResultSets
- How to use DefaultAzureCredentialOptions with ServiceBus triggers?
Related Questions in WINDOWSDOMAINACCOUNT
- Is it possible to change domain account password remotely on a domain-joined server which is not DC?
- .sqlproj publish scripts require domains and users that don't exist on development workstation. Are there workarounds?
- Managing Windows Services with Remote powershell - Windows Server 2019 Datacenter Edition
- How to use python to check if a computer is in a domain or is in workgroup
- Windows service - use domain account and run with admin privileges
- Powershell Windows in a Domain: how to retrieve actual home directory of renamed user
- Cannot RDP to an instance of virtual machine scale set of a Service Fabric cluster in Azure
- Kerberos Authentication for validating card ID on windows 2012/2016 server
- Sending e-mail through C#, Exchange and EWS Managed API gives error 407: Request failed - Proxy authentication required. Why?
- Can we access all Servers within our Domain with specific rights whilst not being part of domain admin?
- Is it possible/advisable to run multiple sites app pools using the same domain account
- Change browser search engine for every user/machine in windows domain
- Connecting to SQL Server on same domain, but getting "Untrusted Domain" error?
- How to formate JNDI to authenticate with a domain user instead of SQL user
- Contradictory values from Active Directory regarding password expiry date
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
A better solution would be to set up a separate app pool that is set up with a service account that has full access to the database restart the web app after selecting the new app pool and use integrated security.
Use a very strong ( and lengthy ) password and set the account to password does not expire and user can not change password.
This prevents using clear text in the web.config files.