SQL authentication between DMZ and internal networks

Greetings all,
We've recently created a DMZ for our web servers which connect on the back end to an internal SQL DB. The SQL server is configured to use AD to authenticate users so most of you probably already understand the problem. Either we extend the internal domain out to the DMZ in some form ( RODC, trusted domain, etc) but really want to avoid this for security reasons. Creating separate SQL accounts will add a lot of confusion, among other issues, for our end users. From my research ( google, etc ) and speaking with one of our DBAs it seems that there is not much choice here, it's one of the two scenarios listed above or nothing but...I thought I'd ask the experts.

Is there something obvious I've missed? Has anyone done this before and can offer advice and/or point me in the direction of some additional documentation?

Many thanks in advance!


really depends what you want to do. Contained databases are a possibility (no login required). Certificate-authenticated logins are another though they are a bit more trouble to set up

Thank you for the response.

I meant to include in my original post that I am NOT a DBA so any advice is greatly appreciated. I'm not familiar with the contained database configuration, but using certificates ( LDAP / LDAPS ) ? was something I was considering but was confused as to how that setup integrates with SQL server and AD. I didn't really find a comprehensive doc that laid out how it's configured. If you are aware of any, it would be most helpful. If it can be done securely and without too much change on the DB side, then that's probably the way to go in our situation. Again, thank you.

Create Logins

Thanks again for the input/advice. Accounts local/unique to SQL server will probably not work for us but I believe I've found a reasonable alternative, its called AD FS and would seem to offer the most secure solution. As you mentioned, this includes certificate authenticated logins but in the long run is probably most suited to our needs. I've included a link to a fairly straight-forward installation/configuration, for those who may be interested.