1
votes

On our production servers, the admins created a WebUser active directory account which is users for anonymous access to IIS and is also used to authenticate database access with our SQL Server instances using Integrated Security=SSPI in the connection string and identity impersonate="true" in the web.config.

I've often come across situations where I would like to or even need to use forms authentication. However, I using forms authentication, Integrated Security seems to use the logged in user's credentials to authenticate against the database. In these cases I have changed the connection string to use the credentials of a SQL Server users instead. I would prefer to not have a hard coded username and password in the connection string or rather worse in code.

Is it possible to use forms authentication just for user authentication for users and windows authentication with the IIS user for database access? What would be the best practice in such a situation?

1

1 Answers

1
votes

Yes, turn off impersonation (ie: impersonate=false) and the forms auth will be used for the web authentication and authorization, but remote calls will use the asp.net process identity.