2

I need to switch a website's database connection from username and password in the connection string to NTLM - from what I have been told, this should just be a matter of updating the connection string.

I have spent some time trawling through here and the web in general; I have found a lot of very confusing pages that explain how NTLM works (I have never had to work with any kind of authentication before), but have not found a simple example of how to set up the connection string in my web.config to use NTLM.

Can anyone provide an example of how an NTLM-configured connection string should look (I have the service account names and passwords) - alternatively if I have been misinformed, can someone point me in the direction of a step-by-step guide as to how to integrate this connection into my website?

Ben Pritchard
  • 35
  • 1
  • 4
  • It's not called NTLM. It was *never* called NTLM when talking about the database. It was always Integrated or Windows Authentication. – Panagiotis Kanavos Sep 19 '17 at 09:38
  • You (the application, server, whatever) *don't* have to know anything about the protocol. When one application tries to use a resource, whether that's a file, network share or remote database the OS itself makes the call as that user. – Panagiotis Kanavos Sep 19 '17 at 09:42

1 Answers1

4

You may be struggling to find decent information about this because it's not normally referred to as NTLM any more.

In SQL Server parlance, what you're looking for is "Integrated Security". You can specify this in your connection string as:

Server=SomeServer;Database=SomeDatabase;Integrated Security=SSPI;

And that should be sufficient - the connection security will be based on the windows user account under which the code is executing, rather than explicitly providing a username/password combination.

SSPI stands for Security Support Provider Interface and is used to indicate that a range of security protocols, such as NTLM and Kerberos can be negotiated.

Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • 1
    I think even the SSPI keyword isn't used anymore, because SSPI itself was replaced. Later connection strings use `Trusted_Connection=true`. – Panagiotis Kanavos Sep 19 '17 at 09:40
  • 1
    @PanagiotisKanavos - `SSPI` is the preferred value to use since `true` and `sspi` are interchangeable for the SQL Server provider but some other providers only support(ed) `sspi` - see [here](https://stackoverflow.com/a/23637478/15498) – Damien_The_Unbeliever Sep 19 '17 at 09:55