Posted by Erland Sommarskog on 06/14/06 15:17

(Eng.Rana@gmail.com) writes:
> i was wondering what is the main difference between the windows
> authentication and mixed mode authentication??
> according to security recommendations, we should enable windows
> authentication, rather than mixed one, i don get the point why do we
> refuse the mixed mode authentication, although it includes windows
> authentication together with an extra layer of defense by the aid of an
> extra authentication mechanism, sql authentication.

No, mixed mode does not give you any extra layer of protection.

In the beginning, SQL Server only had one means of authetication: username
and password stored in the master database in SQL Server. To connect to SQL
Server, you needed to specify username and password. This is today known as
SQL authentication.

Later Microsoft added Windows authentication which permits you to log in
with your Windows credentials. This is known as "Windows authenticiation",
"Trusted connnection" or "Integrated Security".

In SQL 6.x you had three choices: Windows authenticaton only, SQL
authentication only or both. With SQL 7, Microsoft removed the alternative
SQL authentication only.

Windows Authentication is generally regarded as more secure in SQL 2000,
because SQL Server does not have any means to check password strength,
lock accounts with many failed logins etc. Also, it's fairly easy to
crack a password sent over the wire, as the "encryption" is just a mild
form of obfustication. Some of these issues has been resolved in SQL 2005,
provided that you use Widows 2003.

However, Windows authentication requires that both client and server are
in the same domain, or are in domains that trust each other. Mixed mode
is also conventient when you work in a development environment and need
to load stored procedures etc from a privileged account, but you need to
test the application as a low-priv user.


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

• Next in forum: Re: Performance issue
• Prev in forum: Authentication
• Thread view: Re: Authentication

[Reply to this message]