Hi Mary,

Assuming that the IIS and SQL boxes are in the same domain ...

In Internet Services Manager, enable Basic authentication and disable
anonymous access. (You should also require SSL.)

In your web.config, specify authentication mode="Windows" and identity
impersonate="true".

Make sure that the connection properties for your SQL connection (e.g., your
connection string) specifies integrated security (e.g., "Integrated
Security=SSPI") and not a username and password.

When your ASP.NET web app connects to SQL Server, it will do so as the
Windows user who logged on to your site.

Here is a very good article that you should read which explains about building secure ASP.NET applications:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

>I am writing a ASP.net application. I have configured Web.Config to use Windows Authentication with Impersonation as follows:
> authentication mode="Windows"
> identity impersonate="true"
>
>When I try to connect to my SQL database, it's trying to connect as the ASPNET user. That user does not have any rights to connect to my database (nor do I want to give them any rights).
>
>I have done a lot of reading on the Identity and Principal classes, but still don't understand how to tell SQL server what user has been authenticated for my connection.
>
>I know I must be missing something really obvious, I just can find it. Any ideas?
>
>Mary Hintermeier (through Chris D'Arrigo)
>RSA