Windows Forms Login.

I am building a C# windows application with only one form. The form requires to connect to mssql server 2008 and another application server to work. Now I want to implement a login before the form is loaded. The login would authenticate against the sql server and the application server and if both logins are successful run the application with connection parameters passed from the login form. If the login fails for let say three times exit the application. Also when the application is close the connection parameters obtained from the login should be reset. Please provide the solutions if you know not links to different technologies. We are short on time to implement this.

Who is Participating?
AtourayConnect With a Mentor Author Commented:
Thanks a lot Diver. The sql server login and the application server login are totally different and have different sets of logins. Also the application doesn't have user roles as it's not needed. Right now for maintenance we not worry much. Changing the users on both sql and app server is not an issue.

The only thing I am left with now is to encrypt the communication between sql and client.
8080_DiverConnect With a Mentor Commented:
One solution I have used in the past is to have a "login access" to the SQL Server that is used and then use that to confirm the user's rights to connect the SQL Server and the Apps server in order to run the application.
In other words, there is a SQL User name and password (which I will refer to as the GateKeeper) ) that can only access a stored procedure that is used to confirm the user name and password entered by the user.  All GateKeeper does is call the SP, passing the user name and password provided by the user and then, if those validate against a table in the daabase, GateKeeper receives the Username and Password necessary for the user to actually be able to do anything.  
Since GateKeeper can only access the one SP and nothing more, this limits the expore to the database.   Since GateKeeper passes the user-entered name and password and receives the appropriate access name and password (if the user name and password validate), the fact that the user knows a name and password has no brearing on direct access to the database and app server.  this also puts the maintenance of actual SQL Server user names and passwords and app server user names and passwords in the hands of the admin(s) and provides a quick and easy way to invalidate a user's login (by a simple deletion from or update to a single table).
By having your application obtain the App server and SQL Server logins in this manner, all use of them is internal to the app.  You can even encrypt them in the database so that what is returned has to be decrypted within your app for them to be used.
AtourayAuthor Commented:
Actually I've been waiting for so long for an answer. I've implemented a solution but would like to have comments from experts. I've changed my design in such a way that when the end user runs the application
the application controls are disable and hidden and only the login interface is visible. When the user provides usernames and passwords for both sql server and application server I attempt to login to both sql and app server. If login is successful to both servers application with necessary controls are launched. Otherwise the specific exceptions are thrown to the user. With these only end users can only access the controls after being able to successfully connect to both sql server and application server. Please if you have any comments or suggestions let me know.
8080_DiverConnect With a Mentor Commented:
Actually I've been waiting for so long for an answer
07/03/09 04:39 AM to 07/03/09 09:32 AM?!?!?!?!  
Patience is a virtue that is required for applications development! ;-)
Okay, I am assuming that your approach is working, so that means, pragmatically speaking, you do have a solution.  So I'll respond to your request for comments.
Some comments on what you have done:
  • By having the controls disabled until a correct username/password combination has been provided, you are definitely controlling the user's access to those controls . . . this is a Good Thing;
  • Do you have a user password policy the is being implemented?
  • You have to be using SQL Server log-ins for the database but that means that your apps server logins, which are probably Windows logins are the same as the database logins . . . this is not really the most secure approach to things and it also complicates redifining the access that a user may have to the database (either to make the access more or less restricted).
  • When a User successfully logs on, do you have levels of users?  I.e. can eeryone do anything that anyone else can do or can some do thins (like maintenance on data) that others cannnot (like, maybe, people who only need to view/run reports)?
The approach you have taken is a little like the approach I was suggesting in that the first thing the user has to do is log on.  However, there are some noticeable differences:
  • The user's attempt to log on is directed directly at the database and the app server,
  • The User's Username and Password are going to have to be maintained both in SQL Servere and on the app server, which complicates the maintenance a little and requires keping permissions, etc., in synch.
The level of security and the maintenance questions are things you will have to decide on, so that part is really up to you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.