Though the Sitecore installer does not support Windows authentication yet, it is possible to reconfigure the system manually after the installation.
In production environments where security considerations represent a major concern, using a SQL user as well as having username and password specified as clear text in the connection string might be undesirable.
Production SQL Server boxes generally reside on a different machine that do not have access to the account the Sitecore application process in authenticated. That’s why the same domain user should be used for both Windows authentication on the SQL Server box and the application pool identity on the web server where Sitecore is running.
Here are the steps to configure this:
- Find the application pool that your Sitecore is running under. Open Properties and set the identity to the domain user on the corresponding tab.
- On the SQL Server box register the domain user and grant security permissions on Sitecore databases for the domain user according to the section “3.7.2 Creating a Database Account for Sitecore CMS Databases on SQL Server 2005” of the Installation Guide
- On the machine that hosts Sitecore add this domain user to the IIS_WPG group.
- Adjust the permissions for the IIS_WPG group according to this section of the Installation Guide
- Edit the /AppConfig/ConnectionStrings.config file and replace the _user id _and _password parameters with the trustedconnection=yes_ option:
<?xml version="1.0" encoding="utf-8"?>
<add name="core" connectionString="Data Source=.\sql2008;Database=Sandbox6_Core;Trusted_Connection=Yes" />
<add name="master" connectionString="Data Source=.\sql2008;Database=Sandbox6_Master;Trusted_Connection=Yes" />
<add name="web" connectionString="Data Source=.\sql2008;Database=Sandbox6_Web;Trusted_Connection=Yes" />
</connectionStrings>6. Prepare your identity so it can be used as a service account with “aspnet_regiis.exe” and the [-ga switch](http://msdn.microsoft.com/en-us/library/ms998297.aspx) 7. Adjust your global.asax so two methods are executed on Application_Start:
public void Application_Start()
System.Security.Cryptography.RSACryptoServiceProvider.UseMachineKeyStore = true;
System.Security.Cryptography.DSACryptoServiceProvider.UseMachineKeyStore = true;
Anonymous access to the website is still enabled, using the IUSR account. Also the impersonation is still disabled in the web.config as by default.
ASP.NET cannot send NT credentials over network if SQL server name is resolved using HOSTS file though accessing the same server using NetBIOS name or IP address works fine.