Skip to main content
A
Anonymous
November 5, 2012
Question

connect Coldfusion 9 to SQL using intranet users windows credentials

  • November 5, 2012
  • 2 replies
  • 2251 views

Is it possible to use pass through / integrated authentication using the application users windows account (rather than the service account) when a Coldfusion application connects to an MS SQL DB?

For background, we are running:

ColdFusion 9,0,1,274733 hosted on a Windows 2008 R2 (64) server

SQL server 2008 R2 hosted on a Windows 2008 R2 (64) server

IE 8 and/or 9 as the client browser

I have an intranet application that is used only by users within our AD domain. I have no problem getting ColdFusion to connect to the SQL database using the ColdFusion service account, but ideally we would like the connection to be made under the application user's account.

I would appreciate any guidance on how to achieve this if it is possible?

(I am not a webmanager/developer and so my ColdFusion knowledge is very limited!)

Thanks in advance,

Darren

    This topic has been closed for replies.

    2 replies

    D
    Dan_Bracuk
    Inspiring
    November 5, 2012

    What is the reason you want to do this?  There might be another way to accomplish that goal.

    A
    Anonymous
    November 6, 2012

    Thank you for the responses Carl and Dan

    the main reason for this is that the ColdFusion application is just one of the interfaces that is interacting with this database. There is a load of security and user action auditing that is going on in the background that is using integrated authentication as a control (i.e. tieing all user actions to their windows account without the user having to login to each application individually). I was hoping that ColdFusion could just integrate in the same way, but I guess I will have to pass the Auth_User variable instead and handle this data value explicitly in the DB.

    Regards,

    Darren

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    November 6, 2012

    @Daz

    I'll echo Dan's question, What is the reason you want to do this?.  Imagine a tourist obtaining a visa that also authorizes him to visit a nuclear installation. What you are thinking of doing is analogous to that.

    SQL Server is a vital resource within the Windows domain. Permission to access SQL Server should therefore be distinct from permission to enter the domain. In fact the golden rule of IT security says that every resource should have just the minimum permissions necessary for it to perform its tasks, no more. Thus, ColdFusion should have the minimum SQL Server permissions necessary for it to perform its tasks.

    Carl Von Stetten
    Carl Von Stetten
    Legend
    November 5, 2012

    I've never been able to get that to work.  I have only been able to use SQL Authentication (an actual account created on the SQL Server instance rather than a Windows account).  However, I think it might be possible if you install Microsoft's SQL Server JDBC driver and tweak the connection string (I have a vague recollection of seeing someone talk about this either in a blog post or on CF-Talk (http://www.houseoffusion.com).

    -Carl V.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices