The integrated Security=sspi in C#--web.config

    origin of the problem

Before the computer room toll system personal reconfiguration, the configuration file access to the database, using this way, such as:

   String= "server=localhost;database=pubs;uid=sa;password=123456"

During the two days of learning MVC, when setting up a configuration file, it was found that linking the database was another way:  

Connectionstring= "Data source= (LocalDb) \v11.0;initial catalog=aspnet-mvcmovie-20141126170450;integrated Security= SSPI; attachdbfilename=| Datadirectory|\movies.mdf "Providername=" System.Data.SqlClient "

Focus on Integrated Security=sspi this sentence, what is the difference??

    Two authentication modes for databases

Windows Authentication Mode

When installed, if you press the default action (Windows Authentication mode), SQL Server will use the current Windows account and its password as the embedded login name (BUILTIN\Administrators) and password for Windows Authentication mode. Therefore, you do not need to specify a login name and password when using Windows Authentication mode. Of course, you can also specify a different Windows account as the embedded login name in Windows Authentication mode, and then follow the prompts to modify it. Windows Authentication mode only allows connections in Windows Authentication mode, even if SQL Server mode is selected in SSMs, which can cause a connection failure.

Mixed Authentication Mode

If you select mixed mode during installation, you must specify a password for the sa login, which adds a login for SQL Server authentication.

two different ways

Windows authentication is more secure than mixed mode, and when using this connection mode, SQL Server authenticates only based on the user's Windows permissions, which we call "trusted connections," but cannot be logged on remotely due to ntml authentication.
Mixed-mode validation is more complex when a local user accesses SQL using Windows Authentication to establish a trust connection, and when a remote user accesses the SQL Server authentication because of a failure to pass Windows authentication (a user with SA can also log on to SQL) to establish an "untrusted connection". This allows remote users to log on as well.
Accurately, hybrid authentication mode, which is based on Windows authentication and SQL Server identity hybrid authentication. In this mode, the system will determine whether the account is trusted under the Windows operating system, for trusted connections, the system is directly using Windows Authentication mechanism, not the trusted connection, which not only includes remote users but also local users, SQL Server is automatically verified by the existence of the account and the matching of the password.

Common understanding misunderstanding

The Windows Authentication mode and SQL Server authentication mode logins, which differ in permissions, are incorrect. The difference between these two authentication methods is not the permissions. And no one who has high authority, who has low authority to say. Regardless of the default logon name for Windows authentication, the SQL Server-like SA, or another login that you added yourself, you have permission to operate on the database and the table that is set for that login in SQL Server.

intergrated Security =sspi

SSPI: Security Support Provider Interface (Microsoft Security Provider Interface), which defines a more comprehensive public API for integrated security services such as authentication, information integrity, information privacy, and security-related services for all distributed application protocols.

===========================================
Integrated Security Authentication method
When False, a user ID and password are specified in the connection.
When True, the current Windows account credentials are used for authentication.
The recognized values are true, False, Yes, no, and SSPI that is equivalent to true.

============================================

     Summary

to ensure that the security recommendations of the database use Windows Authentication mode whenever possible, Windows authentication uses a series of encrypted messages to authenticate users in SQL Server. When you log on using SQL Server, SQL Server logins and passwords are passed over the network, which reduces their security.

The integrated Security=sspi in C#--web.config