We've recently created a DMZ for our web servers which connect on the back end to an internal SQL DB. The SQL server is configured to use AD to authenticate users so most of you probably already understand the problem. Either we extend the internal domain out to the DMZ in some form ( RODC, trusted domain, etc) but really want to avoid this for security reasons. Creating separate SQL accounts will add a lot of confusion, among other issues, for our end users. From my research ( google, etc ) and speaking with one of our DBAs it seems that there is not much choice here, it's one of the two scenarios listed above or nothing but...I thought I'd ask the experts.
Is there something obvious I've missed? Has anyone done this before and can offer advice and/or point me in the direction of some additional documentation?
Many thanks in advance!