Chapter 6. Authentication: who are you?
Security experts often refer to the “three As” of security: authentication, or who you are; authorization, or what you can do; and accounting, or auditing, which is what you’ve done. In this and the next two chapters we’ll explore those concepts as they apply to SQL Server. We’ll begin with authentication. Are you who you say you are? SQL Server uses a two-layer system of authentication—logins and database users—with lots of variations and options. Some of these options are in the product because they’ve always been there; some of them are new concepts for SQL Server that are designed to meet changing business and operational requirements.
The first layer in traditional SQL Server Authentication is the login. A login lets you connect to the server itself, and can be used to assign certain server-wide permissions. A login doesn’t have anything to do with a specific database.
Remember that SQL Server has two authentication modes. In Windows Authentication mode, all SQL Server logins are either local user or group accounts, or domain user or group accounts. In other words, SQL Server doesn’t authenticate you. Instead, you’re authenticated by Active Directory, or by the local computer’s Security Accounts Manager (SAM). SQL Server merely believes whatever they say.