Do you use Windows Integrated Authentication connection string in web.config?

Last updated by Tiago Araújo [SSW] over 1 year ago.See history

Both SQL Server authentication (standard security) and Windows NT authentication (integrated security) are SQL Server authentication methods that are used to access a SQL Server database from Active Server Pages (ASP).

We recommend you use the Windows NT authentication by default, because Windows security services operate by default with the Microsoft Active Directory?directory service, it is a derivative best practice to authenticate users against Active Directory. Although you could use other types of identity stores in certain scenarios, for example Active Directory Application Mode (ADAM) or Microsoft SQL Server? these are not recommended in general because they offer less flexibility in how you can perform user authentication.

If not, then add a comment confirming the reason.

<connectionStrings>
   <add name="ConnectionString" connectionString="Server=(local);
    Database=NorthWind;uid=sa;pwd=sa;" />
</connectionStrings>

Figure: Bad example - Not use Windows Integrated Authentication connection string without comment

<connectionStrings>
    <add name="ConnectionString" connectionString="Server=(local);
     Database=NorthWind;Integrated Security=SSPI;" />
</connectionStrings>

Figure: Good example - Use Windows Integrated Authentication connection string by default

<connectionStrings>
    <add name="ConnectionString" connectionString="Server=(local);
     Database=NorthWind;uid=sa;pwd=sa;" />
    <!--It can't use the Windows Integrated because they are using Novell -->                
</connectionStrings>

Figure: Good example - Not use Windows Integrated Authentication connection string with comment

We open source. Powered by GitHub