SQL Server Integrated Security from an Azure Web Site

Question

When running an ASP.Net website on IIS I can specify the Active Directory (AD) username that the website runs in the context of in the App Pool settings. I can then create a connection string with Integrated Security = true to access my database. It's then possible to secure DB resources based on that AD user.

Is this possible in Windows Azure when connecting a Web Site to a VM hosting an SQL database?

• Firstly it does not seem possible to specify the virtual network of the Web Site so I am not sure how to specify the connection string. I'm hoping I don't need to expose the SQL Server's port (1433) to the outside world so only the website can make access to it.

• Secondly, I can't see how to specify the user context of the Website so that this can be passed to the SQL Server. I am aware that Azure has an Active Directory but I don't see any options in the Azure Portal to run a Web Site as a specific user.

Answer 1

To answer the first part of your question, you can connect your Azure Web App to a virtual network only in the preview portal. If you go to the very bottom of the main properties "blade" for the web app, there's a "Networking" section that will allow you to select the vnet.

The second part - I don't believe there's a way to do that, due to the lack of control over the application pool settings for Azure Web Apps.

Each app in Web Apps runs as a random unique low-privileged worker process identity called the "application pool identity", described further here: http://www.iis.net/learn/manage/configuring-security/application-pool-identities.

(from: http://azure.microsoft.com/en-us/documentation/articles/web-sites-available-operating-system-functionality/)

Sql authentication will work in this scenario.

And if you have the website hosted outside of Azure, it's definitely possible - we have a TFS build server that's hosted locally using windows authentication to publish database project builds to a SQL Server VM in Azure over a vnet.