Anatomy of a Connection String
Basic Structure
Server=sqlserver.contoso.com;Database=MyDatabase;Integrated Security=true;
A connection string is key=value pairs separated by semicolons. Each key controls a specific aspect of the connection:
| Key | Purpose | Example Value |
|---|---|---|
| Server | Instance name or IP:port | sqlserver.contoso.com, 192.168.1.10:1433, .\SQLEXPRESS |
| Database | Target database name | MyDatabase |
| Integrated Security | Use Windows auth (no username/password) | true, false |
| User ID / Password | SQL Server login credentials | sa, mylogin (only if Integrated Security=false) |
| Connection Timeout | Seconds to wait for connection (default 15) | 30, 60 |
| Encrypt | Encrypt connection (mandatory, optional, strict) | true, false, strict |
| TrustServerCertificate | Trust self-signed certs (security risk!) | true, false |
| Pooling | Reuse connections from pool | true, false |
| Max Pool Size | Max pooled connections | 100 (default) |
Authentication Methods
1. Windows Authentication (Integrated Security)
-- Connection string:
Server=sqlserver.contoso.com;Database=MyDatabase;Integrated Security=true;
-- Uses:
-- - Current Windows user's credentials
-- - No password in connection string (secure by default)
-- - Requires: User account must have SQL Server login
-- - Works: Windows domain environments, same network
-- C# example:
SqlConnection conn = new SqlConnection(
"Server=sqlserver.contoso.com;Database=MyDatabase;Integrated Security=true;"
);
Best for: Internal applications, trusted networks, domain-controlled environments.
2. SQL Server Authentication (Username/Password)
-- Connection string:
Server=sqlserver.contoso.com;Database=MyDatabase;User ID=mylogin;Password=MyPassword123!;
-- OR (older syntax):
Server=sqlserver.contoso.com;Database=MyDatabase;uid=mylogin;pwd=MyPassword123!;
-- Uses:
-- - SQL Server login (sa, custom logins)
-- - Password in connection string (DANGER!)
-- - Works anywhere (no domain required)
-- - Risk: Credentials exposed in config files, logs, memory
Instead: Use environment variables, Azure Key Vault, Windows Credential Manager, or encrypted config files.
3. Azure Active Directory (Azure AD / Entra ID)
-- Connection string (Modern .NET only):
Server=myserver.database.windows.net;Database=MyDatabase;Authentication=Active Directory Integrated;
-- OR with client credentials:
Server=myserver.database.windows.net;Database=MyDatabase;Authentication=Active Directory Service Principal;User ID=clientid@tenant;Password=clientsecret;
-- Uses:
-- - Azure AD identity or service principal
-- - Works with Azure SQL Database, SQL Managed Instance
-- - Supports multi-factor authentication
-- - Tokens managed by system (no password exposure)
Named Instances & Connection Protocols
Connecting to Named Instances
-- Default instance (port 1433):
Server=sqlserver.contoso.com;Database=MyDatabase;
-- Named instance (uses SQL Browser on port 1434):
Server=sqlserver.contoso.com\INSTANCE1;Database=MyDatabase;
-- Named instance with explicit port:
Server=sqlserver.contoso.com\INSTANCE1,1433;Database=MyDatabase;
-- OR:
Server=tcp:sqlserver.contoso.com,1433;Database=MyDatabase;
-- Local machine, default instance:
Server=.;Database=MyDatabase;
-- Local machine, named instance:
Server=.\SQLEXPRESS;Database=MyDatabase;
Connection Protocols
| Protocol | Syntax | Speed | Use Case |
|---|---|---|---|
| Shared Memory | lpc:sqlserver.contoso.com | Fastest | Same machine only |
| Named Pipes | np:\\sqlserver.contoso.com\pipe\sql\query | Fast | LAN, firewalls block TCP |
| TCP/IP | tcp:sqlserver.contoso.com,1433 | Standard | Default, internet-facing |
-- Force protocol in connection string:
Server=tcp:sqlserver.contoso.com,1433;Database=MyDatabase;
-- Named pipes (Windows only):
Server=\\sqlserver.contoso.com\INSTANCE1;Database=MyDatabase;
Encryption & Security
The Encrypt Setting (SQL Server 2016+)
-- Encrypt=false (default in older .NET Framework):
-- ✗ Connection is NOT encrypted
-- ✗ Credentials sent in plaintext over network
-- Security risk!
-- Encrypt=optional (default in .NET Core 3.1+):
-- ✓ Encrypt if server supports it
-- ✓ Fall back to unencrypted if unsupported
-- OK for internal networks, risky for untrusted networks
-- Encrypt=true (recommended):
-- ✓ Connection MUST be encrypted
-- ✗ Fails if server doesn't support encryption
-- ✓ Production standard
-- Encrypt=strict (SQL Server 2022+, ODBC 18.0+):
-- ✓ Encrypted + hostname verification
-- ✓ No self-signed certificates allowed
-- ✓ Maximum security (recommended for Azure, internet)
Server=sqlserver.contoso.com;Database=MyDatabase;Encrypt=true;
Certificate Trust Issues
-- SQL Server uses self-signed certificate by default
-- When you connect with Encrypt=true, client validates certificate
-- Problem: Certificate doesn't match hostname
-- Error: "The certificate chain was issued by an authority that is not trusted."
-- Solution 1: Install server's certificate in trusted store (production)
-- Solution 2: Use TrustServerCertificate=true (development only!)
-- DANGER: TrustServerCertificate=true disables hostname verification
-- Vulnerable to man-in-the-middle attacks!
-- Secure: Use proper certificates + Encrypt=strict
Server=sqlserver.contoso.com;Database=MyDatabase;Encrypt=strict;
-- Insecure (development only):
Server=sqlserver.contoso.com;Database=MyDatabase;Encrypt=true;TrustServerCertificate=true;
Timeouts & Reliability
Connection Timeout vs. Command Timeout
-- Connection Timeout (seconds to establish connection):
Server=sqlserver.contoso.com;Database=MyDatabase;Connection Timeout=30;
-- Default: 15 seconds
-- Use 30+ for slow networks, cloud instances
-- Once connected, this doesn't apply
-- Command Timeout (seconds to wait for query to execute):
-- Set in code, NOT in connection string
SqlCommand cmd = new SqlCommand("SELECT * FROM LargeTable", conn);
cmd.CommandTimeout = 300; // 5 minutes
-- Default: 30 seconds
-- Long-running queries need higher values
// Note: Connection pooling disabled if timeout=0
Connection Pooling
-- Pooling enabled (default):
Server=sqlserver.contoso.com;Database=MyDatabase;Pooling=true;Max Pool Size=100;Min Pool Size=5;
-- Benefits:
// - Connections reused (faster opens)
// - Reduced authentication overhead
// - Better resource utilization
-- Connection identity matters:
// Connections are pooled per unique connection string
// Different users = different pools
// Case-sensitive for comparison
SqlConnection conn1 = new SqlConnection(
"Server=sql1;Database=MyDb;User ID=user1;Password=pwd;"
);
SqlConnection conn2 = new SqlConnection(
"Server=sql1;Database=MyDb;User ID=user1;Password=pwd;"
);
// conn1 and conn2 can share the same pooled connection
SqlConnection conn3 = new SqlConnection(
"Server=sql1;Database=MyDb;User ID=user2;Password=pwd;"
);
// conn3 uses a DIFFERENT pool (different user)
Connection Lifetime
-- Max Pool Size: Maximum pooled connections (default 100)
-- Min Pool Size: Minimum idle connections to keep (default 5)
-- Connection Lifetime: Recycle connections after N seconds
Server=sqlserver.contoso.com;Database=MyDatabase;Max Pool Size=50;Connection Lifetime=300;
-- Connection Lifetime is useful for:
// - Load balancing (recycle connections periodically)
// - Network failover (refresh DNS)
// - Removing stale connections
// - Default: 0 (no recycling)
Complete Connection String Examples
Internal Application (Windows Auth, Trusted Network)
Server=sqlserver.contoso.com;Database=MyDatabase;Integrated Security=true;Connection Timeout=30;
Web Application (SQL Auth, Encrypted)
Server=sqlserver.contoso.com;Database=MyDatabase;User ID=mylogin;Password=SecurePassword123!;Encrypt=true;Connection Timeout=30;Pooling=true;Max Pool Size=100;
Azure SQL Database (Azure AD)
Server=myserver.database.windows.net;Database=MyDatabase;Authentication=Active Directory Integrated;Encrypt=strict;Connection Timeout=30;
Development (Named Instance, Self-Signed Cert)
Server=.\SQLEXPRESS;Database=MyDatabase;Integrated Security=true;Connection Timeout=15;Encrypt=true;TrustServerCertificate=true;
Common Mistakes
Mistake 1: Hardcoding Passwords
// ✗ BAD: Password in code
const string connStr = "Server=sql1;Database=MyDb;User ID=sa;Password=MySecretPassword123!";
// ✓ GOOD: Password from environment variable
string password = Environment.GetEnvironmentVariable("SQL_PASSWORD");
string connStr = $"Server=sql1;Database=MyDb;User ID=sa;Password={password};";
// ✓ BETTER: Use connection string from config (encrypted)
string connStr = ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString;
Mistake 2: Wrong Instance Syntax
// ✗ WRONG:
Server=sqlserver.contoso.com:INSTANCE1;
// ✓ CORRECT:
Server=sqlserver.contoso.com\INSTANCE1;
// ✗ WRONG (mixing backslash and port):
Server=sqlserver.contoso.com\INSTANCE1:1433;
// ✓ CORRECT (explicit port):
Server=sqlserver.contoso.com,1433;
Mistake 3: Forgetting Encrypt in Production
// ✗ Development habit leaking to production:
Server=sqlserver.contoso.com;Database=MyDatabase;User ID=mylogin;Password=pwd;
// ✓ Production-ready:
Server=sqlserver.contoso.com;Database=MyDatabase;User ID=mylogin;Password=pwd;Encrypt=true;
Mistake 4: Connection String Leaking in Logs
// ✗ BAD: Logs full connection string (password visible!)
catch (SqlException ex)
{
logger.Error($"Connection failed: {ex.Message} - Connection: {connectionString}");
}
// ✓ GOOD: Log error only, never log connection string
catch (SqlException ex)
{
logger.Error($"Connection failed: {ex.Message}");
}
Best Practices
- ☐ Never hardcode passwords. Use environment variables, vaults, or encrypted config.
- ☐ Use Integrated Security (Windows Auth) for internal applications.
- ☐ Enable Encrypt=true in production (Encrypt=strict for maximum security).
- ☐ Don't use TrustServerCertificate=true in production.
- ☐ Set Connection Timeout appropriately (30s for reliable networks, higher for cloud/slow networks).
- ☐ Enable connection pooling for multi-threaded applications.
- ☐ Test connection strings in development and staging before production deployment.
- ☐ Monitor connection pool health (pooling issues cause mysterious application hangs).
- ☐ Use named instances with explicit ports when possible (avoids SQL Browser dependency).
- ☐ Never log connection strings (sanitize error messages).
The Bottom Line
A connection string is more than just "Server=sql;Database=db." It controls authentication, encryption, timeouts, and pooling—all critical for reliability and security.
Get the basics right: use Windows Auth internally, enable encryption for production, don't hardcode passwords, and test before deploying. These fundamentals prevent 90% of connection-related production issues.