How to audit an asp.net/SQL Server user

I am building a very simple asp.net application that will have a SQL Server 2008 backend.

Some users will be entering data and storing in the database and some users will be viewing data.

The SQL Server 2008 is working with Windows authentication for every user; however, I am unable to get ASP.NET working with Windows authentication yet. Is there a simple way to allow windows authentication with ASP.NET? I found a very convoluted way, bu开发者_开发技巧t I don't like it.

I will need to audit every action that the users perform.

Should I audit the users at the application level or at the SQL Server level?

Are there already built in methods to do this? If so, how?

On the contrary, I have always found Windows Authentication to be quite easy to set up and relatively painless. Here's some guides:

• Setting up
• More Setting up

I didn't realize that you could audit what users did at the ASP.NET level. My answer would be to use SQL Server for this one. You'd need to log:

• timestamps and user name for every action
• do you need to log workstation or location where the actions were performed?
• can users go to mul
• if multiple locations use this application, consider storing UTC time only
• all actions, even deletes, which mean that delete's only get "hidden" from the user, but never erased from the database. Same for edits, the old record should never be changed or taken out of the database.

Your best bet here is to talk to your boss about this one. Auditors can have very specific needs, and you definitely don't want to forget anything. Every situation is different, so be sure to sit down and double check all your requirements and specifications.

Two things:

1. Here is example on Win auth on asp.net app:

http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx

1. I suggest you implement a log framework like log4net to log your application. It's simple and easy to use http://logging.apache.org/log4net/download.html

I would do this from the application if it is significant HOW people accessed the data as much as the WHO, but that's quite different from rlb.usa's answer. In my past jobs, it's often been as important to know which application the person changed data from as when/who. If it's primarily for application issues, log4net is a good option.