Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the purpose of creating a login from a certificate?

Tags:

authentication

sql-server

ssl-certificate

client-certificates

SQL Server provides the option to create a login from a certificate. E.g.

USE MASTER;
CREATE CERTIFICATE <certificateName>
    WITH SUBJECT = '<loginName> certificate in master database',
    EXPIRY_DATE = '12/05/2025';
GO
CREATE LOGIN <loginName> FROM CERTIFICATE <certificateName>;
GO

However, the documentation states (emphasis mine):

Logins created from certificates or asymmetric keys are used only for code signing. They cannot be used to connect to SQL Server. You can create a login from a certificate or asymmetric key only when the certificate or asymmetric key already exists in master.

What is the point of creating a login that cannot be used to connect to the server?

Background

We need to make some security changes to our middle-tier application. In particular, how it connects to its database. The powers that be have decreed that: "we cannot use Windows authentication".
I know this would normally be the preferred method, but anyone who has access to the middle-tier servers would have the same access to the database as the application.

If we use SQL authentication, we would need to:

  • Encrypt the password.
  • Store it in a config file/registry.
  • Then decrypt the password when the application needs to connect to the database.

While the above is possible, I was somewhat hoping that:

  • I could use a certificate based login.
  • Associate the certificate with the application during the build process.
  • And use that to connect to SQL Server.

The above mentioned extract from the documentaion seems to contradict this.

like image 496
Disillusioned Avatar asked May 14 '14 15:05

Disillusioned

People also ask

What is a login certificate?

It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. If you specify client-certificate authentication, the Web server will authenticate the client using the client's X.

Why do we use authentication certificates?

Certificate-based authentication is generally considered preferable to password-based authentication because it is based on what the user has, the private key, as well as what the user knows, the password that protects the private key.

What is the difference between a login and a credential?

Login credentials enable users to log in and verify their identities to online accounts on the internet. User credentials are typically a username and password combination used for logging in to online accounts.

What does certificate authentication provide?

It enables the user's browser or client to log in to various systems automatically using a saved digital certificate from their individual device or computer. In general, client certificate-based authentication is preferable to password-based authentication.

1 Answers

It is used for code signing SQL Server database objects. The CREATE LOGIN x FROM CERTIFICATE y is fully explained here along with examples and scenarios for SQL Server 2008 and 2008 R2: http://technet.microsoft.com/en-us/library/ms345102(v=sql.105).aspx

Here's a great example of signing a stored procedure in SQL Server 2014: http://technet.microsoft.com/en-us/library/bb283630.aspx

like image 143
TrevorBrooks Avatar answered Oct 06 '22 00:10

TrevorBrooks
Sign in to Comment

Related questions

Visual Studio 2010 database edition schema compare where target is dbproj
How to accomplish query notification on SQL Server with python
Differences in Default Network Packet Size: SqlConnection vs. SQL Server defaults
Select query skips records during concurrent updates
Routing to Different SQL Server Instances Running through Docker on Default Port
Merging duplicated records together with "Merge" syntax
What is the best way to attach existing database to sql localdb?
SQL Srv 2016: Login failed for user 'MicrosoftAccount\...'
SqlConnection vs Sql Session. Do their lifetimes coincide?
Convert Historical Local Time to UTC Time in SQL Server
How to implement ASP.NET identity: CREATE DATABASE permission denied in database 'master'
SSRS report files (.rdl) how to upgrade to latest?
SQL Server 2008 Hierarchy Data Type Performance?
Is there a practical way to use the hierarchyID datatype in entity framework 4?
Django Model Choices: IntegerField vs CharField
Migrating from MySQL to SQL Server, issues with constraints

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!