rko9911
asked on
SQL connections with either Windows or SQL Authentication in VB.net
Several years ago, I had developed a VB.NET application that attaches to SQL Server with Windows Authentication that we use at our company. Recently, I was asked to add a user who is in a non-trusted domain. I have changed the SQL Server authentication to mixed mode and added the person in Security->Logins and Database->Security->Users.
I really don't want to add a uid and password in an additional connection string in the app.config.
What I would like to do is have the application check for authentication on load. If the user has Windows authentication, proceed normally. If the user has SQL authentication, go to a login screen.
But I will be happy to entertain other suggestions.
Any help would be appreciated. Any code snippets would be helpful too.
I really don't want to add a uid and password in an additional connection string in the app.config.
What I would like to do is have the application check for authentication on load. If the user has Windows authentication, proceed normally. If the user has SQL authentication, go to a login screen.
But I will be happy to entertain other suggestions.
Any help would be appreciated. Any code snippets would be helpful too.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much. I used a combination of Jacques' and srikanthreddy143's solutions. I started the application with a Login screen, but on load tried the trusted connection, and if OK, then immediately opened the main menu. If this check failed, it would stay on the login screen, where the submit button would check credentials. I had the different forms reference which connection method was used through a flag to determine which connection string to use when running the queries. I used both answers to help me with this.
Check if the domain that validated the user launching the app, has the right domain-name, if so launch as usual. If not use the alternate connectionstring and let the user fill in name and password.
I would not let this program store the pwd, in for example the registry. But I would let it "remember" the user last entered in the user fileld, and let the second launch of this program fill in the user, and set focus on the password field. All to make it comfortable for the user, but still safe!
Note though, as a security remark. There is code out there in the wild that can take a network capture, find sql logon name, extract the hash, and then bruteforce it. This means someone evil can sniff the pwd (or bruteforce it to be correct). If the password needs to be entered manually, it cant be brutaly long, and not to complicated. Wich means it can be bruteforced!
There are solutions to this, I'm not going to suggest them in this thread, but rather inform about the cavity of such a solution.
Regards Marten