What is the difference between Integrated Security = True and Integrated Security = SSPI?

Asked 4/8, 2009 at 20:15 Answered 2/10, 2017 at 8:57

Solved sql-server connection-string database-security sspi

637

I have two apps that use Integrated Security. One assigns Integrated Security = true in the connection string, and the other sets Integrated Security = SSPI.

What is the difference between SSPI and true in the context of Integrated Security?

Storiette answered 4/8, 2009 at 20:15 Comment(2)

@PranavSingh has the right idea, this question is incomplete unless you specify which provider you are using. Different providers accept and/or translate various strings into internal states. – Centering 22/12, 2014 at 20:41

Although they are same, I believe that there was a very old document in one of websites, at the time i was curious same as you, that said if you are developing for windows mobile (not what you see today, the old devices which i don't remember the OS suffix since i never had one), you should use SSPI, and User Password together. but since i never wrote one, and i don't remember the source of that document, i cannot guarantee it. – Cornish 25/12, 2016 at 13:5

498

According to Microsoft they are the same thing.

When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.

Japhetic answered 4/8, 2009 at 20:23 Comment(14)

Originally, I think there was a difference in that "True" used NTLM and "SSPI" used Kerberos, but they're now interchangeable. – Gin 4/8, 2009 at 20:26

Thanks for the response. Any reason why it works with one and not the other? In fact, if recall correctly, the error obtained when I used "true" was about some driver (on a 2003 windows server with sql server express). JD. – Storiette 5/8, 2009 at 7:46

Didn't check last comment, but if true, should be as answer, but not the comment – Dragoman 29/3, 2012 at 12:12

@RodneyFoley I use SSPI with wrong username and password, but it doesnt care and connected successfully in net4.0. Is this expected result ? – Suppletion 6/6, 2012 at 8:36

@RodneyFoley Do you have a source for that statement? This seems unusual as integrated is preferred over SQL authentication, so a system that defaults to SQL auth seems unlikely. – Sholem 14/9, 2012 at 21:28

@KirkBroadhurst MSDN Doc's for connection strings, and real world usage. – Substitutive 15/9, 2012 at 22:26

@RodneyFoley sorry, wasn't clear enough. Can you provide a source for that statement? I'm googling it and can't find any such advice. – Sholem 16/9, 2012 at 9:3

@RodneyFoley sorry, my tests confirm that this answer is correct and your comment is not. Maybe it worked that way once, but it doesn't now, and you can't provide any reference to a Microsoft doc that supports your opinion. – Sholem 17/9, 2012 at 6:48

Agree with Kirk. User / password is ignored when SSPI specified - .net 4.0, SQL server 2012. – Bergman 3/3, 2015 at 15:20

@RodneyFoley and @KirkBroadhurst: Looking at other answers it looks like it might depend on the provider used. If talking about System.Data.SqlClient, I did find this article which says True means that User Id and Password will be ignored and SSPI means that they will be be used if present, but Windows Security will be used if not. This link says true will ignore them but doesn't mention SSPI. – Searles 6/12, 2015 at 20:32

So if they "are the same thing" why is SSPI "strongly recommended" rather than "true" or "yes? That's the reason why I came to this question... – Malamud 5/9, 2016 at 10:56

@PranavSingh: It's not me who is saying they are the same. Is the current answer which we are commenting... – Malamud 25/10, 2017 at 10:18

@ZéCarlos Ok, Got it. Somehow that is accepted answer with highest votes :) . I added answer for same clarification – Shumway 25/10, 2017 at 12:37

If it is only used to say you are using Windows Authentication, wonder why they didn't just call the setting/property "Windows Authentication" instead of Integrated Security? – Flong 8/10, 2019 at 21:42

247

Integrated Security=true; doesn't work in all SQL providers, it throws an exception when used with the OleDb provider.

So basically Integrated Security=SSPI; is preferred since works with both SQLClient & OleDB provider.

Here's the full set of syntaxes according to MSDN - Connection String Syntax (ADO.NET)

Shumway answered 13/5, 2014 at 17:4 Comment(2)

Isn't this answer repeats the third rated one? – Department 20/11, 2020 at 2:3

@Department this answer is a bit more complete and also links to a still-valid Microsoft Docs page (the link in the other answer now brings you to a page suggesting to download Visual Studio 2005 Retired docs). – Dextroamphetamine 24/3, 2021 at 21:15

Using Windows Authentication

To connect to the database server is recommended to use Windows Authentication, commonly known as integrated security. To specify the Windows authentication, you can use any of the following two key-value pairs with the data provider. NET Framework for SQL Server:

 Integrated Security = true;
 Integrated Security = SSPI;

However, only the second works with the data provider .NET Framework OleDb. If you set Integrated Security = true for ConnectionString an exception is thrown.

To specify the Windows authentication in the data provider. NET Framework for ODBC, you should use the following key-value pair.

Trusted_Connection = yes;

Source: MSDN: Working with Connection Strings

Jit answered 12/7, 2012 at 23:29 Comment(0)

Many questions get answers if we use .Net Reflector to see the actual code of SqlConnection :) true and sspi are the same:

internal class DbConnectionOptions

...

internal bool ConvertValueToIntegratedSecurityInternal(string stringValue)
{
    if ((CompareInsensitiveInvariant(stringValue, "sspi") || CompareInsensitiveInvariant(stringValue, "true")) || CompareInsensitiveInvariant(stringValue, "yes"))
    {
        return true;
    }
}

...

EDIT 20.02.2018 Now in .Net Core we can see its open source on github! Search for ConvertValueToIntegratedSecurityInternal method:

https://github.com/dotnet/corefx/blob/fdbb160aeb0fad168b3603dbdd971d568151a0c8/src/System.Data.SqlClient/src/System/Data/Common/DbConnectionOptions.cs

Better answered 3/10, 2013 at 12:58 Comment(1)

That part of code is property only for one case that is explainable by name ConvertValueToIntegratedSecurityInternal. That property is used only when provider is SqlClient so in SqlClient, SSPI &true are same but not when client is OleDb or OracleClient. I have clarified that in https://mcmap.net/q/63946/-what-is-the-difference-between-integrated-security-true-and-integrated-security-sspi with msdn reference – Shumway 6/9, 2018 at 11:25

Integrated Security = False : User ID and Password are specified in the connection. Integrated Security = true : the current Windows account credentials are used for authentication.

Integrated Security = SSPI : this is equivalant to true.

We can avoid the username and password attributes from the connection string and use the Integrated Security

Dermatosis answered 23/1, 2013 at 13:26 Comment(0)

Let me start with Integrated Security = false

false User ID and Password are specified in the connection string.
true Windows account credentials are used for authentication.

Recognized values are true, false, yes, no, and SSPI.

If User ID and Password are specified and Integrated Security is set to true, then User ID and Password will be ignored and Integrated Security will be used

Anecdotic answered 5/7, 2012 at 14:27 Comment(0)

Note that connection strings are specific to what and how you are connecting to data. These are connecting to the same database but the first is using .NET Framework Data Provider for SQL Server. Integrated Security=True will not work for OleDb.

Data Source=.;Initial Catalog=aspnetdb;Integrated Security=True
Provider=SQLOLEDB;Data Source=.;Integrated Security=SSPI;Initial Catalog=aspnetdb

When in doubt use the Visual Studio Server Explorer Data Connections.

What is sspi?
Connection Strings Syntax

Fertilization answered 2/4, 2014 at 23:46 Comment(0)

True is only valid if you're using the .NET SqlClient library. It isn't valid when using OLEDB. Where SSPI is bvaid in both either you are using .net SqlClient library or OLEDB.

Exo answered 9/1, 2015 at 12:54 Comment(1)

social.msdn.microsoft.com/Forums/en-US/… – Exo 9/1, 2015 at 12:55

In my point of view,

If you dont use Integrated security=SSPI,then you need to hardcode the username and password in the connection string which means "relatively insecure" why because, all the employees have the access even ex-employee could use the information maliciously.

Elfreda answered 2/10, 2017 at 8:57 Comment(2)

The connection string is not necessarily visible to any employee. – Lepsy 6/10, 2017 at 14:45

-1 If you don't use Integrated security=SSPI then you can use Integrated security=true and still not have to hardcode usernames and passwords. Moreover, securing these kinds of configurations is out of the scope of this question. – Eyecatching 21/11, 2022 at 14:52

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags