SQL Server provides the option to create a login from a certificate. E.g.
USE MASTER;
CREATE CERTIFICATE <certificateName>
WITH SUBJECT = '<loginName> certificate in master database',
EXPIRY_DATE = '12/05/2025';
GO
CREATE LOGIN <loginName> FROM CERTIFICATE <certificateName>;
GO
However, the documentation states (emphasis mine):
Logins created from certificates or asymmetric keys are used only for code signing. They cannot be used to connect to SQL Server. You can create a login from a certificate or asymmetric key only when the certificate or asymmetric key already exists in master.
What is the point of creating a login that cannot be used to connect to the server?
We need to make some security changes to our middle-tier application. In particular, how it connects to its database. The powers that be have decreed that: "we cannot use Windows authentication".
I know this would normally be the preferred method, but anyone who has access to the middle-tier servers would have the same access to the database as the application.
If we use SQL authentication, we would need to:
While the above is possible, I was somewhat hoping that:
The above mentioned extract from the documentaion seems to contradict this.
It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. If you specify client-certificate authentication, the Web server will authenticate the client using the client's X.
Certificate-based authentication is generally considered preferable to password-based authentication because it is based on what the user has, the private key, as well as what the user knows, the password that protects the private key.
Login credentials enable users to log in and verify their identities to online accounts on the internet. User credentials are typically a username and password combination used for logging in to online accounts.
It enables the user's browser or client to log in to various systems automatically using a saved digital certificate from their individual device or computer. In general, client certificate-based authentication is preferable to password-based authentication.
It is used for code signing SQL Server database objects. The CREATE LOGIN x FROM CERTIFICATE y is fully explained here along with examples and scenarios for SQL Server 2008 and 2008 R2: http://technet.microsoft.com/en-us/library/ms345102(v=sql.105).aspx
Here's a great example of signing a stored procedure in SQL Server 2014: http://technet.microsoft.com/en-us/library/bb283630.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With