What is the difference between Integrated Security = True and Integrated Security = SSPI?

sql-server security connection-string database-security
716,852

Solution 1

According to Microsoft they are the same thing.

When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.

Solution 2

Integrated Security=true; doesn't work in all SQL providers, it throws an exception when used with the OleDb provider.

So basically Integrated Security=SSPI; is preferred since works with both SQLClient & OleDB provider.

Here's the full set of syntaxes according to MSDN - Connection String Syntax (ADO.NET)

![Windows Auth Syntax

Solution 3

Using Windows Authentication

To connect to the database server is recommended to use Windows Authentication, commonly known as integrated security. To specify the Windows authentication, you can use any of the following two key-value pairs with the data provider. NET Framework for SQL Server:

 Integrated Security = true;
 Integrated Security = SSPI;

However, only the second works with the data provider .NET Framework OleDb. If you set Integrated Security = true for ConnectionString an exception is thrown.

To specify the Windows authentication in the data provider. NET Framework for ODBC, you should use the following key-value pair.

Trusted_Connection = yes;

Source: MSDN: Working with Connection Strings

Solution 4

Many questions get answers if we use .Net Reflector to see the actual code of SqlConnection :) true and sspi are the same:

internal class DbConnectionOptions

...

internal bool ConvertValueToIntegratedSecurityInternal(string stringValue)
{
    if ((CompareInsensitiveInvariant(stringValue, "sspi") || CompareInsensitiveInvariant(stringValue, "true")) || CompareInsensitiveInvariant(stringValue, "yes"))
    {
        return true;
    }
}

...

EDIT 20.02.2018 Now in .Net Core we can see its open source on github! Search for ConvertValueToIntegratedSecurityInternal method:

https://github.com/dotnet/corefx/blob/fdbb160aeb0fad168b3603dbdd971d568151a0c8/src/System.Data.SqlClient/src/System/Data/Common/DbConnectionOptions.cs

Solution 5

Integrated Security = False : User ID and Password are specified in the connection. Integrated Security = true : the current Windows account credentials are used for authentication.

Integrated Security = SSPI : this is equivalant to true.

We can avoid the username and password attributes from the connection string and use the Integrated Security

Share:
716,852
JD.
Author by

JD.

Updated on August 01, 2022

Comments

  • JD.
    JD. almost 2 years

    I have two apps that use Integrated Security. One assigns Integrated Security = true in the connection string, and the other sets Integrated Security = SSPI.

    What is the difference between SSPI and true in the context of Integrated Security?

    • Pranav Singh
      Pranav Singh almost 10 years
      The accepted answer is not the best one, its not fully correct either. Integrated Security = True or SSPI are not same. Integrated Security=true; doesn't work in all SQL providers, it throws an exception when used with the OleDb provider. So basically Integrated Security=SSPI; is preferred since works with both SQLClient & OleDB provider. I have added an answer for better clarification.
    • Mark
      Mark over 9 years
      @PranavSingh has the right idea, this question is incomplete unless you specify which provider you are using. Different providers accept and/or translate various strings into internal states.
    • Hassan Faghihi
      Hassan Faghihi over 7 years
      Although they are same, I believe that there was a very old document in one of websites, at the time i was curious same as you, that said if you are developing for windows mobile (not what you see today, the old devices which i don't remember the OS suffix since i never had one), you should use SSPI, and User Password together. but since i never wrote one, and i don't remember the source of that document, i cannot guarantee it.
    • ATL_DEV
      ATL_DEV almost 3 years
      What is SSPI short for? The "SS" hopefully means SQL Server, but not sure what SI means.
  • eugened
    eugened almost 15 years
    Originally, I think there was a difference in that "True" used NTLM and "SSPI" used Kerberos, but they're now interchangeable.
  • JD.
    JD. almost 15 years
    Thanks for the response. Any reason why it works with one and not the other? In fact, if recall correctly, the error obtained when I used "true" was about some driver (on a 2003 windows server with sql server express). JD.
  • Johnny_D
    Johnny_D about 12 years
    Didn't check last comment, but if true, should be as answer, but not the comment
  • Barış Velioğlu
    Barış Velioğlu about 12 years
    @RodneyFoley I use SSPI with wrong username and password, but it doesnt care and connected successfully in net4.0. Is this expected result ?
  • Kirk Broadhurst
    Kirk Broadhurst almost 12 years
    @RodneyFoley Do you have a source for that statement? This seems unusual as integrated is preferred over SQL authentication, so a system that defaults to SQL auth seems unlikely.
  • Rodney S. Foley
    Rodney S. Foley almost 12 years
    @KirkBroadhurst MSDN Doc's for connection strings, and real world usage.
  • Kirk Broadhurst
    Kirk Broadhurst almost 12 years
    @RodneyFoley sorry, wasn't clear enough. Can you provide a source for that statement? I'm googling it and can't find any such advice.
  • Kirk Broadhurst
    Kirk Broadhurst almost 12 years
    @RodneyFoley sorry, my tests confirm that this answer is correct and your comment is not. Maybe it worked that way once, but it doesn't now, and you can't provide any reference to a Microsoft doc that supports your opinion.
  • Amit Shishodia
    Amit Shishodia over 9 years
  • Alex des Pelagos
    Alex des Pelagos over 9 years
    Agree with Kirk. User / password is ignored when SSPI specified - .net 4.0, SQL server 2012.
  • Jason Goemaat
    Jason Goemaat over 8 years
    @RodneyFoley and @KirkBroadhurst: Looking at other answers it looks like it might depend on the provider used. If talking about System.Data.SqlClient, I did find this article which says True means that User Id and Password will be ignored and SSPI means that they will be be used if present, but Windows Security will be used if not. This link says true will ignore them but doesn't mention SSPI.
  • Zé Carlos
    Zé Carlos almost 8 years
    So if they "are the same thing" why is SSPI "strongly recommended" rather than "true" or "yes? That's the reason why I came to this question...
  • underscore_d
    underscore_d over 6 years
    The connection string is not necessarily visible to any employee.
  • Zé Carlos
    Zé Carlos over 6 years
    @PranavSingh: It's not me who is saying they are the same. Is the current answer which we are commenting...
  • Pranav Singh
    Pranav Singh over 6 years
    @ZéCarlos Ok, Got it. Somehow that is accepted answer with highest votes :) . I added answer for same clarification
  • Pranav Singh
    Pranav Singh almost 6 years
    That part of code is property only for one case that is explainable by name ConvertValueToIntegratedSecurityInternal. That property is used only when provider is SqlClient so in SqlClient, SSPI &true are same but not when client is OleDb or OracleClient. I have clarified that in stackoverflow.com/a/23637478/704008 with msdn reference
  • Kelly
    Kelly over 4 years
    If it is only used to say you are using Windows Authentication, wonder why they didn't just call the setting/property "Windows Authentication" instead of Integrated Security?
  • Yola
    Yola over 3 years
    Isn't this answer repeats the third rated one?
  • interDist
    interDist over 3 years
    @Yola this answer is a bit more complete and also links to a still-valid Microsoft Docs page (the link in the other answer now brings you to a page suggesting to download Visual Studio 2005 Retired docs).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Block remote connection on SQL server and allow only local connection
SQL Server client-side alias is not working
How to check for the existence of a DB?
problem with [SqlException (0x80131904): Invalid object name 'dbo.TableName'.]
SQL connection string for database on network
Reporting Services 2008 - 401: Unauthorized
Export data from SQL Server query to excel
What exactly is SQL Server 2005 User Mapping?
Security risks of setting trustworthy = on in sql server 2012
Connect string of SQL Server for localhost in Entity Framework