For ASP.NET webforms, I have always needed the following server login: [machine_name\ASPNET].
Questions
- Is this requirement the same for ASP.NET MVC? If not, what do I need?
- Does it matter what version of SQL Server I’m using? (Currently, I’m running SQL Server Express 2005, but this could change in the future.)
- Does it matter what version of IIS I’m running? (Currently, I’m running IIS 5.1 under Windows XP, but this could change in the future.)
MVC has nothing to do with it. Your ASP application will connect to SQL Server using the identity of the Application Pool that runs the ASP site. See:
By default application pools run under the built in NETWORK SERVICE account. When connecting locally to a SQL Server on the same host the NETWORK SERVICE authenticate as itself and you need to grant login permissions to it, but when it connect remotely to a SQL instance on a different host the NETWORK SERVICE will authenticate itself as the host machine account (‘domain\machinename$’) and that account needs to be granted login permissions.
Another piece of the puzzle is to know whether the ASP application impersonates the HTTP request or not. When impersonation occurs, the connection will be attempted under the original request caller identity. When the SQL server is on a different host the ASP application has to also delegate the impersonated context further to SQL Server, and in order to do so it has to be trusted for constrained delegation How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.
Ultimately the application pool identity is under your control and your responsibility to set correctly. Whatever identity the ASP pool has, that must be granted login permissions on the SQL Server. MVC is just a library loaded in the ASP application and does not change the security requirements.