There are two options for safe mode when installing SQL Server. The difference between them is which software performs the authentication process. Authentication is the process of confirming the identity of a user who is connecting to SQL Server. Once authentication is performed, SQL Server can verify that the user has permission to connect to a requested resource, such as a database. If the user has permission to connect to the database, SQL Server will allow the connection request to succeed, otherwise, the connection will fail. This process of verifying user permission is also called authorization.
· Windows Authentication (also known as Trusted Authentication or Integrated Security) uses the identity of the Windows user making the connection request to perform authorization to the database. In this case, the connection string does not have to provide an explicit username and password. ASP.NET runs as a local user named "ASPNET" (or "Network Service" in IIS 6.0), so when using Windows Authentication, SQL will check whether this user has permission to use the database. At this point, all ASP.NET applications are running with this same user, so the safe mode treats them equally. Although it is possible to run each application in a separate ASP.NET process (a separate user running each application), or to impersonate the Windows user identity of the browser client making the connection request, these are beyond the scope of this book. range. However, client impersonation is the most common use of Windows Authentication in web applications.
· SQL Authentication checks explicitly supplied usernames and passwords against users configured within SQL Server (without involving the operating system). In this case, each application running in the ASP.NET process can connect to the database with a separate certificate, thus reasonably isolating the applications (Application A will not be able to connect to the database if it does not have B's username and password). Cannot connect to B's database). This is the most common authentication mode used for deployed web applications, especially in the case of shared hosting. A small disadvantage is that it requires the application to retain the password of the user account used to connect, and if this password is obtained by a malicious user, the security of the database will be compromised. However, as you will see later in this book, ASP.NET provides a secure way to store the SQL Authentication password in an encrypted format in the Web.config file, thus reducing the risk of the password being obtained.
· Mixed Mode is a configuration of SQL Server that allows both Windows Authentication and SQL Authentication.
When installing SQL Server or SSE, you must choose an authentication mode. In SQL Server, there is a wizard to help you choose during the security steps, while in SSE, the default choice is Windows Authentication. If you want to install SQL Authentication, you must configure it explicitly. This article uses Windows Authentication.
If you have installed SQL Server or SSE, you can view the specified authentication mode by opening RegEdit (of course you need to back it up first), find HKey_Local_Machine/Software/Microsoft/Microsoft SQL Server and search for LoginMode. A registration subkey with a value of 1 represents Windows Authentication, while a value of 2 represents Mixed Authentication mode.
Table 3-1 summarizes the differences between these modes.
Table 3-1
| Windows Authentication | SQL Authentication | |
| replaceable name | Trusted Authentication Integrated Security | No, but Mixed Mode Authentication allows the use of Windows or SQL Authentication. |
| Typical environment. | Intranet. | Location of list ofInternet |
| users and authentication processes. | Windows | SQL Server |
| SSE installation. | Default installation | requires specifying the installation |
| connection string | Trusted_connection=true or Integrated Security=true | user=username; password=password |
| ASP.NET Web application users | ASP.NET process, ASPNET (IIS 5.x) or Network Service (IIS 6) | SQL users |
| have the advantage | of better security; can control the user's SQL events and Windows events. Activity tracking | can be deployed on the host machine without creating a new account; independent of the operating system Hosted intranet site requires only moderate skills Provides a more flexible way for applications to connect to each database with different certificates |
| Disadvantages | Giving a Windows certificate to a web application has the potential to set the scope of permissions in the OS too large | Passwords are stored in the web application (which is not the case in Windows authentication ). Confirm that the password is saved in the Web.config file and is encrypted. Allows low-level operations for web applications using sa certificates. Always create new certificates for ASP.NET web applications and give only the required permissions |