By default, portier Vision stores the database password, encrypted, in the portiervision.ini file on each machine. Some environments should hold no database password at all, for example Citrix and terminal servers, shared sessions, golden images, or security-reviewed environments.
For those cases, with Microsoft SQL Server, there is integrated authentication. portier Vision signs in to the database as the signed-in user’s Windows identity. No password is stored and none is transmitted.
Not to be confused with signing in to portier Vision itself. For opening the program with your Windows account and no separate password, see Single Sign-On (SSO).
Citrix, terminal server, and golden-image environments that should carry no stored credentials in the profile
Security-reviewed IT environments that avoid stored service passwords
Organisations that control database access through their existing Windows (Active Directory) groups
The machine is joined to the Active Directory domain.
A login exists in Microsoft SQL Server for the Windows user or, better, for an AD group.
That login has db_datareader, db_datawriter, and db_ddladmin on the portier database. db_ddladmin lets portier Vision apply its schema updates when you upgrade. Not sysadmin, not db_owner.
Open the portier Vision Companion (the database configurator).
Choose Microsoft SQL Server as the database type and enter host, port, and database name as usual. For the host format, see Connecting to Microsoft SQL Server.
For authentication, choose Windows Login instead of standard SQL authentication. The user name and password fields drop away.
Run the connection test. On success, save.
The configurator sets DBLOGIN=1 in portiervision.ini. From then on portier Vision connects as the signed-in Windows user (a trusted connection over Kerberos or NTLM). No password is written to the file.
Open portiervision.ini. It shows DBLOGIN=1 and no password entry.
Start portier Vision. The database connects without prompting for a database password.
Access runs under the signed-in user’s Windows identity.
Create the database login for portier Vision with the lowest rights that work: db_datareader and db_datawriter for normal operation, plus db_ddladmin so portier Vision can apply its schema updates during upgrades. sysadmin or db_owner are not needed and should not be granted. Without db_ddladmin the login passes Vision’s start-up permission check but the next version upgrade stops at the first schema change. The simplest approach is to control access through a dedicated AD group and add the permitted users there.
Integrated authentication needs Microsoft SQL Server and a Windows domain identity. In two cases it is not available:
Firebird: The bundled Firebird database has no Windows integrated authentication. Here an encrypted password stays in portiervision.ini.
SQL Server on non-domain machines (workgroup): Without a domain identity there is nothing to authenticate against. An encrypted password stays stored here too.
For the SQL Server case, keep that stored login at least privilege: db_datareader, db_datawriter, and db_ddladmin.
With integrated authentication there is no recoverable database password, neither in portiervision.ini nor in the program’s memory. Authentication is the user’s own Windows identity.
See also: portier Vision Setup and Installation Manual and Connecting to Microsoft SQL Server.
