2

Language: C#, SQL
Framework: ASP.NET Core MVC
Target: Web

My web application connects to the database to retrieve information.

I was first learning to implement a working concept and after that, I would improve the security.

public class DataBaseConnection
{
    public SqlConnection connection = new SqlConnection("Secret Connection String goes here.");
}

Storing the connection string this way is unsafe, so I looked for alternatives.

Research:
Securing Connection String in ASP.NET MVC
In this question, it is mentioned that:
- It is a better idea to store the connection string in the configuration file.
- To be safe I could encrypt the connection string.
- You don't have to store the username and password in the connection string if you use a Windows Authentication Token.

So, it would look like this: 

"AllowedHosts": "*",
"ConnectionStrings": {
    "Default": "Data Source=(localdb)\\MSSQLLocalDB; Initial Catalog=TestDB; Integrated Security=True;"
}

My question differs in the fact that I need to connect to an external database.

My problem:
Integrated Security=True; uses the authentication token of the the user that is currently logged into the computer to log into the database and this only works on a local network with an active directory in a test environment.

So, in production, I will have to use a username and password in the connection string.

My question:
Is there a way to connect to an external database (on another network) without storing the username and password in the connection string? So, in a nutshell. Would it be possible to use an authentication token as an alternative in the connection string?

Improve this question
3
  • I think windows authenetication is possible in ASP NET. Take a look at that. Commented Apr 17, 2020 at 12:25
  • 2
    Typically the way it can be done is to assign a user to the application pool in IIS running the app, and then giving that user access to the SQL server. Then integrated auth works just like that. If you run in Azure, I encourage you to check out Managed Identity as well. Commented Apr 17, 2020 at 12:29
  • the guidance for .net core has changed. learn.microsoft.com/en-us/aspnet/core/security/… Commented Apr 17, 2020 at 13:38

2 Answers 2

Reset to default
1

No, it is not possible. It's either a user/pass or "integrated security". The integrated security is similar to Windows Auth, in that it sort automatically logs you in to the DB. However, just as with Windows Auth, there are prerequisites. The client (your app) must be on the same domain as your DB server, i.e. they must both be joined to a Windows domain, and be on the same network or connected via a virtual private network. If the database is truly "external", then you cannot use this.

There's absolutely nothing wrong with including the username and password in the connection string. However, you should then of course take steps to protect the connection string. First, it should never be hardcoded, but always provided via configuration. Then, it should be in a configuration source that is relatively secure. For example, don't drop it in something like appsettings.json, as it's both not encrypted and will end up committed to your source control. Instead, you should use environment variables or secure secret store like Azure Key Vault. Environment variables are not encrypted, but they are local on the server and can be protected via user-level access controls. While there's potential to be exposed, it would require a malicious actor to have relatively high-level access to log in directly to your server, which means that the exposed connection string is really the least of your problems at that point.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

Assuming when you say "external" means it is not in the same network as your web application is , the you cannot use Windows Authentication / Integrated Security. Then you would have to pass the username and password in the connection string.

I would also assume that your web application is able to connect to a database in your local network then I would generate the connection string dynamically using the following steps:
1. Encrypt the username and password using any encryption algorithm and key. You can use Protected Data Class for the purpose
2. Store the user name, password and key in your local database table in an encrypted format
3. In your code, you can read the table for encrypted values, decrypt then and build the connection string dynamically.
4. Use the dynamically generate connection string in your code

public class DataBaseConnection
{
    public SqlConnection connection = new SqlConnection("Dynamically generated string");
}

To control who can and how to encrypt and decrypt, you can use the ProtectedData Class

Improve this answer

1 Comment

I think creating a database to store the connection string of another database is a little overkill.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.