Initiatives: MS Pattern and Practices recommendation: Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication:
Extranet Security and Access Security.
Scenario 1 SqlServer and Web Server are running on the same box
Likely be the home pc or standalone development environment-the configuration is quite simple:
1. IIS6 (Windows 2003 Server)
Follow this article to configurate IIS 6 access to SqlServer.
In my experiments, it shows that the IIS anonymous account setting in the web app's '(Virtual) Directory Security setting | Authentication and access control' and disable/enable integrate Windows authentication is not relevant- it will always be an IIS_WPG member account used to access SqlServer. You can run EXEC sp_who to find out which account is used.
The only exception to above is you specify <identity impersonate="true"/> in web.config. I tried to use IUSER_
2. IIS5 (Windows 2000 Server)
If running on IIS5(Windows 2000)it is IUSER_
Scenario 2 SqlServer and Web Server are running on two machines
In short, the MS recommended way is:
1)Don't put Web server on the trusted domain, but DMZ.
2)Create a NT account that impersonate as IIS anonymous account on web server.
3)Create the exact same account(username/password) on the Sql Server machine.
4)Grant access to this account.
How to use Trusted Connection when SQL server and web Server are on two separate machines has step by step guide on this.
Following vbs script shows credentials for iis anonymous user account
Set IIsObject = GetObject ("IIS://localhost/w3svc")
WScript.Echo "AnonymousUserName = " & IIsObject.Get("AnonymousUserName") & vbCrlf
WScript.Echo "AnonymousUserPass = " & IIsObject.Get("AnonymousUserPass") & vbCrlf
WScript.Echo "WAMUserName = " & IIsObject.Get("WAMUserName") & vbCrlf
WScript.Echo "WAMUserPass = " & IIsObject.Get("WAMUserPass")
Set IIsObject = Nothing