Classic ASP Integrated Security in connection string

Question

I have old classic ASP application (not asp.net) that I need to configure to use Microsoft SQL Server 2008. It works well with following config string:

SERVE         


        

Answer 1

Note that this will hit SQL based on the authentication of your asp application pool assuming your using anonymous authentication.

I see you have added a comment noting IIS 5, setting a site to use windows auth on ISS5 is possible by going to the properties of your site, selecting the "Directory Security" tab, then clicking the "Edit" button on the "Anonymous access and authentication control" section. Disable anonymous authentication and tick the "Integrated Windows Security" option.

(NOTE: the webserver will need to be able to authenticate the credentials, so you may run into NTLM and kerberos issues depending on your domain configuration - tread carefully!)

This should execute the asp files as the authenticated user, in which case your connection strings would then be able to use trusted connections.

You have a few choices here depending on which providers you have available to you.

For instance, with the SQL Native Client 9.0 OLE DB provider you could use:

Provider=SQLNCLI;Server=myServerAddress;Database=myDataBase;Trusted_Connection=yes;

Native Client 10 is slightly different:

Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Trusted_Connection=yes;

I prefer the SQLOLEDB provider (ive had trouble with SQL SERVER driver and VARCHAR(MAX) in the past):

Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=myDataBase;Integrated Security=SSPI;

NOTE: suddenly changing the authentication may break other stuff - i'd certainly just recommend adding a SQL credential on the SQL server and use that in your connection strings instead.

Answer 2

Its a pity you haven't replied to my inquiry in a comment to your question so I will have to give a wider answer. (Although HeavenCore has actually given you the correct connection string to use, the SQLOLEDB one).

When using anonymous access

When you run a Classic ASP website under anonymous access the security token that the thread executing the acript belongs to the IIS anonymous user. This user by default on IIS5.1 is a local machine user. As a result unless the SQL server is also running on the same box you can't use this user to grant access to a SQL Server.

You would need to create a new user in your domain to act as the anonymous account. Then you would change the anonymous user for your application to this new account. In SQL server you can then grant appropriate database access to this account.

If I recall correctly you can set the anonymous user account by opening the site properties. In the Directory Security tab, click Edit.. under Authentication and access control. In the authentication methods dialog that appears you can change the anonymous account to one that is a member of the domain.

When using windows integrated access

If you running classic ASP without anonymous access but instead are authenticating connections using window integrated security then each script will run using the security token of the authenticated user. Hence when SSPI is used in the SQL connection the user associated with the connection the request has arrived on is used.

To give these users access the SQL DB you would need to create appropriate AD Group(s) and grant these Group(s) access to the DB. Then assign the users to these Group(s).

The downside to this approach is that it gets limited benefit from connection caching however considering the rest of your configuration that may not be too much of a concern.