I work on an Internet-facing, ASP.NET-based product that uses SQL Server 2005. Most customers deploy our software using the traditional approach with the app server (IIS) located in a DMZ, and SQL Server behind a secondary firewall.
We would like to pick one type of SQL Server authentication. From a security perspective and/or a customer perspective, what is Integrated or SQL Server authentication preferred?
I’ve read the related posts, and if it matters, our app uses SQL directly, as well as stored procedures. Our application implements a security model, so we don’t need to be able to distinguish between users within SQL Server.
Thanks, Scott
Either will do. I’ve been told Integrated authentication is a little more secure, as it doesn’t pass sql login information across the network. The type of authentication isn’t as important as what permissions the account accessing the database is given.
If you are going to give this to clients to install, I would probably go with sql authentication as that won’t require another system to authenticate the user (like active directory).
Mithcel brings up a good point about letting clients configure it. I have seen places where SQL authentication is expressly forbidden, and others (like where I work now) where using Active Directory accounts isn’t possible.