Hi, We have an asp.net public facing web solution that includes the following servers: · Two Load balanced web servers in the DMZ · Sql Server Database Server Traditionally, the web servers stay standalone servers and not part of any domain. We are thinking to use active directory. We are thinking to have an AD server dedicated to this solution only (it is different than the company’s operational AD). The AD server in the environment helps us to have webserver’s application pool be authenticated against the SQL server to prevent the requirement of having SQL server UID/PWD in the web.config files. From the security bets practices approach, which one of the following options is recommended? · Option 1) Public facing web servers stay stand alone, SQL server authentication is used · Option 2) Public facing web servers are part of an AD domain (different than company operational domain) and database server authenticates the web servers against their application pool identity. Thank you,

This is more like a web server qustion. you can ask in http://forums.iis.net/