When do usernames and passwords belong in connection strings

Kenneth Fisher, 2017-12-18

tl;dr: When using a windows or active directory authenticated id you do not put the username or password into your connection string.

Quite possibly the most common question I get is “Why won’t my login connect to the database?”. And the most common response? You’re using it wrong.

In SQL Server there are two types of ids. Windows authenticated and SQL Server authenticated. Typically you can tell the difference because windows authenticated ids have a domain attached.

[domain name]/

Note: This won’t always be the case. When creating a database level principal (a user) it is possible (in older versions of SQL Server) to create the user with a different name from the server principal (the login) and sometimes the domain name gets removed. It is also possible to create a SQL Server authenticated login/user with what looks like a domain name. So how do you tell for sure? You can either look in the GUI

Or in sys.server_principals or sys.database_principals. The type and type_desc columns will tell you what the actual type of the principal (login or user) is. You can look in BOL for all of the possible options but the ones we care about are:

  • S – SQL Login/User
  • U – Windows/AD Login/User


Here is the meat of it. With a SQL Login you have to pass the user name and password to SQL. With a windows authenticated connection you don’t! For a Windows Authenticated user/group you typically put something like Trusted_Connection (depending on the type of connection string). With Windows Authenticated principals Windows has authenticated your connection (go figure, right?). It then passes that authentication on to SQL Server without requiring it to send the password across the wire. Hence the word trusted.

For help with connection strings in general you can go to this site. There are entries for OLE DB, ODBC and more. There are also (lots and lots of) entries for non SQL Server connection strings if you need them.





Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

Robert Davis


1,567 reads

Networking – Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I’d like to talk about social networking. We’ll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let…

Andy Warren


1,530 reads

Speaking at Community Events – More Thoughts

Last week I posted Speaking at Community Events – Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I’ve got a few more thoughts on the topic this week, and I look forward to your comments.

Andy Warren


360 reads