I would like to incorporate Windows Authentication whereby I run the pool by Application Pool Identity or Network Service so as to integrate 100% of the remote resource authentication inside the Web.Config.
Provisioning privileged Domain Service identities is seen as a site owner accountability and as one who provisions Infrastructure I would like not to know or handle the credential. As much application configurations as possible should be inside the web.config. Our default Server setting is Windows Authentication, but allow at the SITE level to incorporate other Authentication as required for the needs of the web application.
Use Cases:
Windows Server 2008\2012 R2
90% of data tier is SQL
Domain Identities default (no SQL IDs if it can be avoided)
Credentials Encrypted and passed inside web.config
We have an encryption.dll that is placed in \Bin folder to decrypt the credentials. I'm not a developer, however our development teams are struggling adapting to this DevOps style of platform administration.
The goal is to allow application teams to be able to update credentials as needed upon password recycles. (Content placed on witness share and promotion of code done via an XCopy command remotely)
I've yet to find the right combination of recommendations. The majority queries I've come across has people running with the Pool AppPoolIdentity\Network Service and Impersonation of the logged in user. Our policies do not allow for individual users to access the Databases like we do with service accounts.
AppPools are not shared. Each site has their own application pool.
Any suggestions?