I have read that it is recommended to remove the username/password for database connection strings from the web.config file for an ASP.Net web application, and instead use an IIS application pool identity for authenticating access to the database.
While this is easy to do and a straightforward process for connecting to a Microsoft SQL Server database using an active directory service account, that's not the same, from the research that I have done on this question, for connecting to an Oracle database.
We can't figure out how to connect to an Oracle database using IIS 7.5 Integrated Managed Pipeline Mode. We want to use integrated security because we don't want to include the Oracle database username and password in the connection string in the web.config file for the ASP.Net web site.
We also want to avoid creating the possibility for a malicious user to "spoof" a Windows account, giving them sys.admin access to Oracle if an Oracle database account is found that matches the Windows account.
What is the industry standard for connection to an Oracle database using integrated pipeline mode with an ASP.Net application through IIS 7.5?
How is this accomplished, in order to remove the Oracle database username and password from the web.config file?
Instead of figuring out connecting to an Oracle Database through IIS with integrated security (which I'm not sure of how to do or if it's possible), try an alternative.
Instead of setting it in web.config, programmatically obtain the username/password from an encrypted file or secure web service
Or encrypt the .config file itself. MSDN has some directions for that.