Hi Chris,

Security is a big road block companies run into. There is another resource I would recommend reading that will give you good answers to how to setup your site. The real issue for you is that SQL Server is on another server and how the credentials are transfered. Read this and see if it clarifies what you are looking for. If not then I can assist you with consulting.

http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc112001%2FWCT112001.asp

>I had all the settings configured as you suggested (on IIS and Web.Config) except for the Integrated Security setting. After confirming that all was as you suggested, I reinstalled my app on my webserver. Now I don't even get prompted for username/password when I connect to the server. So when I try to connect to my SQL database, it's trying to connect as 'NT AUTHORITY\ANONYMOUS LOGON'.
>
>"server=insert server name here;trusted_connection=yes;database=databaseNameHere;Integrated Security=SSPI;"
>
>Turns out it was caused by my checking the 'Integrated Windows Security' box on the IIS Directory Security dialog. The problem is that when I uncheck this box, the user has to log into the IIS box (and not the domain). I need them to log into the domain. We are going to have hundreds of users who will need Domain Accounts as well as local IIS accounts (a maintenance nightmare). Also, I need them to authenticate to the domain so that I can get information about their groups.
>
>I don't know enough about NT security to make any decisions. I will try to make it through the paper you suggested (there's alot of information there!). I think I'll try to find someone who might be willing to do some security consulting work (any recommendations/ideas?) to make sure I architect the solution to meet our strict banking security and business needs.
>
>m