Rule #39
Do you use Windows Integrated Authentication connection string in web.config?
  v3.0 Posted at 20/10/2010 7:56 PM by system
Both SQL Server authentication (standard security) and Windows NT authentication (integrated security) are SQL Server authentication methods that are used to access a SQL Server database from Active Server Pages (ASP).

We recommend you use the Windows NT authentication by default, because Windows security services operate by default with the Microsoft Active Directory?directory service, it is a derivative best practice to authenticate users against Active Directory. Although you could use other types of identity stores in certain scenarios, for example Active Directory Application Mode (ADAM) or Microsoft SQL Server? these are not recommended in general because they offer less flexibility in how you can perform user authentication.

If not, then add a comment confirming the reason.

 

<connectionStrings>
<add name="ConnectionString" connectionString="Server=(local);
Database=NorthWind;Integrated Security=SSPI;" />
</connectionStrings>
Bad example - not use Windows Integrated Authentication connection string without comment.

 

 

<connectionStrings>
<add name="ConnectionString" connectionString="Server=(local);
Database=NorthWind;Integrated Security=SSPI;" />
</connectionStrings>
Good example - use Windows Integrated Authentication connection string by default.

 

 

                <connectionStrings>
    <add name="ConnectionString"
connectionString="Server=(local);
Database=NorthWind;uid=sa;pwd=sa;" />
    <!--It can't use the Windows Integrated because they are
using Novell -->
</connectionStrings>
Good example - not use Windows Integrated Authentication connection string with comment.
 


Related rules