I am trying to develop an intranet that will hold sensitive data.
Having looked at technet, I know that I can't use challenge / response
authentication on the IIS machine and integrated authentication on the
SQL machine (different servers), but all the workarounds look very
ugly. It seems that I have a few choices:
1. Use basic authentication for IIS, integrated for SQL. However,
I'm then passing passwords over the network in plain text. Also, I
still can't get it to work.
2. Allow anonymous access to the web site, and add the IUSR...
account to SQL's users. However, everyone then runs at the same
permissions and I lose user-level auditting (there are triggers that
record who did what for certain actions)
3. Use standard security for SQL. This, however, means storing the
user ID & password somewhere on the web server.
Presumably, there is a set of 'best practices' for doing this...
umm... what are they?