Endpoints and authentication

I tried asking a similar question over at the asp.net, but I'm not getting any replies.

I created an endpoint in SS 2005 using DIGEST authentication, and I was successful in adding the web service to my project and getting results from a call to it.

However, the production environment does not exist in a domain environment, which eliminates even DIGEST (which requires a valid windows domain logon).

But, when I create the endpoint using BASIC authentication, I can no longer "find" the service. SS says the command(s) completed successfully after the Create Endpoint command. As a test, the documentation says that you can enter the http site into IE and the WSDL will display. And that works in digest mode. However, I've tried both:
http://<server>/path?WSDL and
https://<server>/path?WSDL
And neither returns the WSDL in IE (nor can it be added to my project as a web service).

I'm hoping someone has some ideas on how I can resolve this problem.

TIA,
DaveI suspect that my SSL problem has to do with how the server is setup. I just tried using DIGEST authentication with a LOGIN_TYPE=MIXED. This combination requires PORTS=SSL also.

I go the same messages when I tried to attach. Firefox reports the error as "The connection was interrupted" IE says "Internet Explorer cannot display the webpage"

Could someone give a few hints on what to check on my server?

TIA,
Dave

Encryption not supported on SQL Server

Getting this error when trying to get into Enterprise
Manager on the local server. I can get into EM from other
machines. I also have an ASP application running locally
on the same SQL box that gets the same error when trying
to run. This all started recently after a reboot of the
server. I know some SQL stuff but I have just walked into
this support role. I need help to get the ASP app working
ASAP!This error usually indicates that you have checked the "Force Protocol
Encryption" option using the Client network utility or set the following
registry key on the server.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS
SQLServer\Client\SuperSocketNetLib
Encrypt == 1
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.

encryption

I have a number of both classic asp and asp.net applications which are
writing data into a sql server 2000 database. I am am looking at a least
effort way of encrypting some of these details, I was thinking the best way
might be to create a trigger on the relevant database fields which encrypts
the information on insert. I am not sure what should go into the trigger to
do the encryption, any ideas?
There are a couple of issues to note
1. It would have to be a strong encryption algorithm like triple DES.
2. Data would from the database needs to be extracted into a vb.net
application which would need to be able to decrypt it, ideally with the
encryption functions built into .Net.
3. Encrypting the data in the asp/asp.net code before inserting is not
particularly practical due to the large number of separate applications.
ScottThere are 3rd party vendors that offer databse encryption, that SQL 2000
cannot natively provide.
Here's one of the vendors.
http://www.protegrity.com/
Some articles that may be of interest.
325757 INF: Using SQL Server 2000 with FIPS 140-1 Ciphers
http://support.microsoft.com/?id=325757
331367 PRB: Cannot Decrypt Data Using Data Encryption Standard (DES) Key
Across
http://support.microsoft.com/?id=331367
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication
http://msdn.microsoft.com/library/d...-us/dnnetsec/ht
ml/SecNetHT08.asp
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Hmmm .. Interesting. I am not a supporter of writing this in a trigger
personally. This will not be efficient and you will land up writing an
Extended stored procedures to do the encryption for you. In SQL Server 2005
this is out of the box feature to use and capitalize.
As a strategy I would always support things to be done in the middle tier
and then encrypting and decrypting them at that layer rather than sending it
to database and later trying to encrypt before inserting. Just my personal
views ...
HTH,
Vinod Kumar
MCSE, DBA, MCAD, MCSD
http://www.extremeexperts.com
Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp
"scottrm" <scottrm@.newsgroup.nospam> wrote in message
news:3CE2425A-6063-48B3-A2DF-76C6F37AA06A@.microsoft.com...
> I have a number of both classic asp and asp.net applications which are
> writing data into a sql server 2000 database. I am am looking at a least
> effort way of encrypting some of these details, I was thinking the best
way
> might be to create a trigger on the relevant database fields which
encrypts
> the information on insert. I am not sure what should go into the trigger
to
> do the encryption, any ideas?
> There are a couple of issues to note
> 1. It would have to be a strong encryption algorithm like triple DES.
> 2. Data would from the database needs to be extracted into a vb.net
> application which would need to be able to decrypt it, ideally with the
> encryption functions built into .Net.
> 3. Encrypting the data in the asp/asp.net code before inserting is not
> particularly practical due to the large number of separate applications.
>
> --
> Scott

Encrypting datafile and backups

Hi
I read good article on EFS
http://www.sqlservercentral.com/columnists/bkelley/implementing_efs.asp
How do you do encryption of backups
I found that the backup made from a encrypted data if recovered are not
encrypted as it is OS encrytion and not database.
Also another interesting question on same line:
If the domain account used to start the sqlserver and encryption is deleted
and recreated with the same login/password will that user be able to decrypt
the files.
Mangesh
Also if we can recover the encrypted fileMangesh Deshpande wrote:
> Hi
> I read good article on EFS
> http://www.sqlservercentral.com/columnists/bkelley/implementing_efs.asp
> How do you do encryption of backups
> I found that the backup made from a encrypted data if recovered are
> not encrypted as it is OS encrytion and not database.
> Also another interesting question on same line:
> If the domain account used to start the sqlserver and encryption is
> deleted and recreated with the same login/password will that user be
> able to decrypt the files.
> Mangesh
> Also if we can recover the encrypted file
You can use a tool like LiteSpeed to encrypt your backups (url below).
--
David Gugick
Imceda Software
www.imceda.com|||Hi
EFS is based on Certificates. You loose the Certificate, you loose access to
your data. If you re-set a user's pasword, his certificates become invalid.
Regards
Mike
"Mangesh Deshpande" wrote:
> Hi
> I read good article on EFS
> http://www.sqlservercentral.com/columnists/bkelley/implementing_efs.asp
> How do you do encryption of backups
> I found that the backup made from a encrypted data if recovered are not
> encrypted as it is OS encrytion and not database.
> Also another interesting question on same line:
> If the domain account used to start the sqlserver and encryption is deleted
> and recreated with the same login/password will that user be able to decrypt
> the files.
> Mangesh
> Also if we can recover the encrypted file

Encrypting data within the DB

Hello,
I am running Microsoft SQL Server 2000 on a Windows 2000 Sever. I have
been working with SQL Server, Building ASp WebSites for many years now.
I am by no means an expert - nor have I had ANY formal training. So ebar
with me if my questions seem elementary...

I have some questions regarding sensitive data and encryption.

There is a project that is headed my way were the social security number
is being used as the unique identifier for an account. I have always
used as identity column as a unique identifier. What would be the pros
and cons of using the SSN as a unique identifier?

#1 How do I go about encrypting the number to store in the DB. Is this
done within SQL Server? Or before the data is inserted?

#2 Is it possible to use an encrypted field as a unique identifier?

My gut tells me to use the identity column , encrypt the SSN and not use
it as any part of an identifier.

Thank You for your Help.. Happy New Year!

Please Reply to the Newsgroup.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!It is not common but it is possible for a Social Security number to change
given time. It should certainly be a way for people to quickly find
individuals however I dont think it it should be a primary key --

As far as encryption goes check out the source code for the forums that are
available at www.webwizguide.com -- there is a very nice encryption system
built into the software that I have used many a time and I cant knock it --

"kimi" <kim@.kimmyXSPAMX.com> wrote in message
news:3ffd9826$0$70302$75868355@.news.frii.net...
> Hello,
> I am running Microsoft SQL Server 2000 on a Windows 2000 Sever. I have
> been working with SQL Server, Building ASp WebSites for many years now.
> I am by no means an expert - nor have I had ANY formal training. So ebar
> with me if my questions seem elementary...
> I have some questions regarding sensitive data and encryption.
> There is a project that is headed my way were the social security number
> is being used as the unique identifier for an account. I have always
> used as identity column as a unique identifier. What would be the pros
> and cons of using the SSN as a unique identifier?
> #1 How do I go about encrypting the number to store in the DB. Is this
> done within SQL Server? Or before the data is inserted?
> #2 Is it possible to use an encrypted field as a unique identifier?
> My gut tells me to use the identity column , encrypt the SSN and not use
> it as any part of an identifier.
> Thank You for your Help.. Happy New Year!
> Please Reply to the Newsgroup.
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!|||"kimi" <kim@.kimmyXSPAMX.com> wrote in message
news:3ffd9826$0$70302$75868355@.news.frii.net...
> Hello,
> I am running Microsoft SQL Server 2000 on a Windows 2000 Sever. I have
> been working with SQL Server, Building ASp WebSites for many years now.
> I am by no means an expert - nor have I had ANY formal training. So ebar
> with me if my questions seem elementary...
> I have some questions regarding sensitive data and encryption.
> There is a project that is headed my way were the social security number
> is being used as the unique identifier for an account. I have always
> used as identity column as a unique identifier. What would be the pros
> and cons of using the SSN as a unique identifier?
> #1 How do I go about encrypting the number to store in the DB. Is this
> done within SQL Server? Or before the data is inserted?
> #2 Is it possible to use an encrypted field as a unique identifier?
> My gut tells me to use the identity column , encrypt the SSN and not use
> it as any part of an identifier.
> Thank You for your Help.. Happy New Year!
> Please Reply to the Newsgroup.
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

1. There is no built-in encryption mechanism in MSSQL, but there are a
number of third-party products available:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=22

Alternatively, use the Windows CrpytoAPI from your front end application to
encrpyt/decrypt as you access the data, so the database only ever stores the
encrypted value.

2. Any column which has guaranteed unique values could be a key, but your
encryption solution might produce something unsuitable, such as a very long
value which would be awkward to work with.

Personally, I would go with your proposed solution, and avoid the SSN as a
key. For example, if your solution ever goes international, then basing
everything on an SSN will suddenly become an issue. An artificial key of
some sort is a useful solution. But ultimately you have to decide based on
your requirements.

Simon|||>As far as encryption goes check out the source code for >the forums
that are
>available at www.webwizguide.com -- there is a very nice >encryption
system
>built into the software that I have used many a time and I >cant knock
it --

Thank you for the link above. I will check this out first chance I get.
I am somewhat familiar with this forum. Thanks.

Please Reply to the Newsgroups..

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!|||>but there are a number of third-party products available:
>http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=22

Have you used any of the third party software to encrypt?

>Alternatively, use the Windows CrpytoAPI from your front >end
application to
>encrpyt/decrypt as you access the data, so the database >only ever
stores the
>encrypted value.

Well this is what I want - but this brings up antoher concern. If the
value stored is encrypted - Would this mean I could never search by SSN?

>Personally, I would go with your proposed solution, and >avoid the SSN
as a
>key. For example, if your solution ever goes >international, then
basing
>everything on an SSN will suddenly become an issue. An >artificial key
of
>some sort is a useful solution. But ultimately you have to >decide
based on your requirements.

I agree - I think I am going to push for this - and your point about
international possibilities will be my defense.

Thank you for your help.

Please Reply to the Newsgroups..

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!|||Nah it just means you would have to decript the SSN field as part of the
where clause -- probably not that fast as this would lead to indexes being
thrown off but hey --

What I am not quite sure of is why the SSN has to be encrypted in the first
place? Unless somebody is going to have access to the server that should
not I just dont get it -- maybe I am not as cautious as some however

"kimi" <kim@.kimmyXSPAMX.com> wrote in message
news:3ffdbb52$0$70306$75868355@.news.frii.net...
> >but there are a number of third-party products available:
> >http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=22
> Have you used any of the third party software to encrypt?
>
> >Alternatively, use the Windows CrpytoAPI from your front >end
> application to
> >encrpyt/decrypt as you access the data, so the database >only ever
> stores the
> >encrypted value.
> Well this is what I want - but this brings up antoher concern. If the
> value stored is encrypted - Would this mean I could never search by SSN?
>
> >Personally, I would go with your proposed solution, and >avoid the SSN
> as a
> >key. For example, if your solution ever goes >international, then
> basing
> >everything on an SSN will suddenly become an issue. An >artificial key
> of
> >some sort is a useful solution. But ultimately you have to >decide
> based on your requirements.
> I agree - I think I am going to push for this - and your point about
> international possibilities will be my defense.
> Thank you for your help.
>
> Please Reply to the Newsgroups..
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!|||because customers are more willing to give you their SSN if they know that
it is secure.

"J00 Moo" <notreallyarealemailaddress@.hotmail.com> wrote in message
news:btkn5l$8fvta$1@.ID-68406.news.uni-berlin.de...
> Nah it just means you would have to decript the SSN field as part of the
> where clause -- probably not that fast as this would lead to indexes being
> thrown off but hey --
> What I am not quite sure of is why the SSN has to be encrypted in the
first
> place? Unless somebody is going to have access to the server that should
> not I just dont get it -- maybe I am not as cautious as some however
> "kimi" <kim@.kimmyXSPAMX.com> wrote in message
> news:3ffdbb52$0$70306$75868355@.news.frii.net...
> > >but there are a number of third-party products available:
> > >http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=22
> > Have you used any of the third party software to encrypt?
> > >Alternatively, use the Windows CrpytoAPI from your front >end
> > application to
> > >encrpyt/decrypt as you access the data, so the database >only ever
> > stores the
> > >encrypted value.
> > Well this is what I want - but this brings up antoher concern. If the
> > value stored is encrypted - Would this mean I could never search by SSN?
> > >Personally, I would go with your proposed solution, and >avoid the SSN
> > as a
> > >key. For example, if your solution ever goes >international, then
> > basing
> > >everything on an SSN will suddenly become an issue. An >artificial key
> > of
> > >some sort is a useful solution. But ultimately you have to >decide
> > based on your requirements.
> > I agree - I think I am going to push for this - and your point about
> > international possibilities will be my defense.
> > Thank you for your help.
> > Please Reply to the Newsgroups..
> > *** Sent via Developersdex http://www.developersdex.com ***
> > Don't just participate in USENET...get rewarded for it!|||kimi (kim@.kimmyXSPAMX.com) writes:
> Well this is what I want - but this brings up antoher concern. If the
> value stored is encrypted - Would this mean I could never search by SSN?

Searching for a single value should not be much of a problem. You encrypt
the input and then look up the encrypted value. Of course, you must use
an encryption method which always gives the same encrypted value for the
same input.

Search for a range, like all SSN that start on 500 would be more
problematic.

Going back to your original post:
>What would be the pros and cons of using the SSN as a unique identifier?

The pro would be that you would get a tap on your shoulder by Joe Celko.

But as noted by others, SSN is a typical example of something that looks
like a natural key, but when you look closer to it, does not live up to
the strict requirements for a primary key in a relational database. A
fact which is true many natural look-a-like keys.

--
Erland Sommarskog, SQL Server MVP, sommar@.algonet.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp|||>But as noted by others, SSN is a typical example of >something that
looks like a natural key, but when you look >closer to it, does not live
up to the strict requirements >for a primary key in a relational
database. A
>fact which is true many natural look-a-like keys.

Would you consider a phone number to be a good choice for a primary key?

As I understand the data that is to be stored right now.
The only options I have are ssn, phone number, or identity column.

I am so leaning toward the identity.
Thank you for your replies

Please Reply to the Newsgroups..

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!|||Upon further ingestion of coffee I realize that a phone number as a
primary key would be a BAD Move...

I am sticking with the identity column - i see it as my only option
right now.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!|||"kimi" <kim@.kimmyXSPAMX.com> wrote in message
news:3ffebf76$0$70303$75868355@.news.frii.net...
> Upon further ingestion of coffee I realize that a phone number as a
> primary key would be a BAD Move...
> I am sticking with the identity column - i see it as my only option
> right now.
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

The identity column is probably the best approach. The fundamental issue as
I see it is that there is no such thing as a natural key for human beings,
or at least no key that is practical in relational database terms. In some
specific contexts, it might be possible to use something like an email
address, but even then a surrogate key might be required purely for
performance.

You could try to make a composite key out of numerous fields (names, phone
numbers, addresses etc), but it would be completely impractical, even if you
could be sure that everyone in your database will always have an email
address and a phone. I suppose you might theoretically be able to produce a
unique hash value from someone's DNA, but even if it could be made small
enough to work in a practical implementation, you'd still have a problem
when you get your first set of identical twin customers/employees/whatever.

SSNs, passport numbers, employee IDs etc. are essentially artificial keys at
the end of the day, so there's no reason to be reluctant to use one
yourself, at least in my view.

Simon|||>> The only options I have are ssn, phone number, or identity column.
<<

Go down the list and ask yourself which of the three can be verified
in the reality you are modeling. I can call someone and ask for his
phone number. I can call the government and verify his SSN. IDENTITY
by definition is never a key -- just put the same data into the table
1000 times on a table that uses such a pseudo-key and trash your data
integrity.

What is the nature of the application? Do you require the phone
number or can someone qualify for membership in the set without one?
Probably. Do you require the SSN or can someone qualify for membership
without one? Probably not. If I hire a foreign national, I have to
get a tax number for him in a business environment. So you allow
sloppy SSNs only if you want to go to jail under INS, IRS and Homeland
Security laws. You not only have to have it on file as a matter of
law, you have to verify it as a matter of law.

The bad news is that simple verification is a pain with SSN. Buy a
package or find some freeware to save yourself the pain.|||Joe,

> I can call someone and ask for his phone number.

And don't forget to ask "Is this the party to whom I am speaking?"

Linda

Encrypting Data

I have an application that has stores sensitive data in an SQL server and I am currently handling this through my ASP.NET application using the encryption classes in C#.

One of the things we would eventually like to be able to do is use other programs (like Microsoft Access) to run advanced Querys on the tables and retrive the data. With the encyption being done in C#/ASP all that would be returned would be the encrypted data.

I wondering if there is a way to build a layer to encrypt/decrypt data at the database level, my searches haven't yeiled to much info (As well as a trip to Borders) as I haven't seen any books that even touch on this.

I don't know a lot about SQL right now (Mainly only MySQL so Stored Procs and all that stuff are really new to me) so I don't know if I would go about it this way or not? (Using a stored procedure)

Can anyone reccommened where I should start to learn about accomplishing this? Books are usually the best help but I'll take any kind of information that can be thrown my way :-)

Thanks!ummm... what are you encrypting? and does it NEED to be encrypted up the wazoo?|||Yes, It needs to be encrypted. No matter what it is there should be a way to encrypt it correct?|||Sorry, To add to that what are my other options? I know there are user access controls (although never have worked with them) and that type of stuff but one thing that worried me would be using access control, right now as it is I can remote desktop to the SQL machine open enterprise manager and browse the tables. (No password needed) I'm all for doing it the correct way. But part of the thing to is even though I'm writing the program because it's encrypted I never have to see the data.

Encrypting a data

Hi,

I have creating a stored procedure in sql server 2005 to encrypt a parameter value that comes from an asp.net page. this value is of type varchar.

Now i have declared a paramater as varbinary to accept this value in the stored procedure. And encrypting it using symmetric key which is encrypted by certificate.

Now when i enter a value into the textbox in asp.net page. it shows

"implicit conversion from varchar to varbinary not possible" pls tell me what is the solution? do i have to convert the value in vb code while accessing the value of the textbox or do i have to convert the value while passing the value when call stored procedure.

pls tell me the solution so that i don't jave to change any coding in vb.

some solution in sql server itselt.

Thank you

Gaurav

If you're passing a varchar to the stored procedure, then rewrite the stored procedure to accept a varchar.

Thanks
Laurentiu

|||

But i have to encrypt that value - the value that is coming from a varchar parameter.

And encryption works on varbinary data type. so do i need to convert that parameter to varbinary in the stored procedure.

Infact i even tried that but it is showing the same result implicit conversion not allowed.

Pls give me a solution. where i could pass a varchar data type value to a stored procedure and encrypt it in the stored procdure.

Thanks

Gaurav

|||

You can encrypt varchar values; it is not true that encryption works only on varbinary data. See the BOL article for EncryptByKey:

http://msdn2.microsoft.com/en-us/library/ms174361(SQL.90).aspx

varchar is explicitly listed as an accepted type for the cleartext data, so you just need to rewrite your procedure to accept a varchar value. Converting the varchar data to varbinary in the procedure does not help, because the problem happens earlier when you pass the varchar value to the procedure that expects a varbinary. If you don't want to change the procedure code to expect a varchar, then you have to explicitly cast the varchar to varbinary before you pass it to the procedure.

For an example that encrypts varchar data, see http://blogs.msdn.com/lcris/archive/2005/12/16/504692.aspx. There are other examples on my blog that encrypt varchar data besides that one.

Thanks
Laurentiu

Empty reports

In my ASP.Net application, I need to give the user an error message when
a report is empty. Sometimes there is an exception that gets thrown and
sometimes there is not. How can I tell if the stream coming back from
RS contains an empty report?In most cases even if the report contains no data the stream isn´t empty
(PDF,ect). Did you try to get a stream back that based on the CSV format ?
It don´t now whether there will be a zero byte stream returned back by the
report server, but that should be the stream with the least overhead. If you
know how many bytes an empty report contains, you could also check the size
of the stream to evaluate the minimun for it and then throw an exception if
it is below o equeals that minimun level.
(If you got your own Data service provider, but I think that isn´t in your
case you could check for the rows in the tabes of the dataset you are
apssing to the report)
--
HTH, Jens Suessmeyer.
--
http://www.sqlserver2005.de
--
"No One" <aintnoway@.blahblahblah.com> schrieb im Newsbeitrag
news:hlmnl2-ii3.ln1@.gandalf.grey-net.com...
> In my ASP.Net application, I need to give the user an error message when a
> report is empty. Sometimes there is an exception that gets thrown and
> sometimes there is not. How can I tell if the stream coming back from RS
> contains an empty report?|||There is a "No Rows" property on the table which allows the developer to
specify a string to display if no rows of data are available.
"No One" <aintnoway@.blahblahblah.com> wrote in message
news:hlmnl2-ii3.ln1@.gandalf.grey-net.com...
> In my ASP.Net application, I need to give the user an error message when
> a report is empty. Sometimes there is an exception that gets thrown and
> sometimes there is not. How can I tell if the stream coming back from
> RS contains an empty report?|||I don't want to return a "No Rows" file. I want to display that on the
browser without trying to send the user a file at all.
Jason wrote:
> There is a "No Rows" property on the table which allows the developer to
> specify a string to display if no rows of data are available.
> "No One" <aintnoway@.blahblahblah.com> wrote in message
> news:hlmnl2-ii3.ln1@.gandalf.grey-net.com...
>>In my ASP.Net application, I need to give the user an error message when
>>a report is empty. Sometimes there is an exception that gets thrown and
>>sometimes there is not. How can I tell if the stream coming back from
>>RS contains an empty report?
>
>