I have an internal SQL server which is accessed by a publicly facing IIS web server. Both the SQL and IIS servers are internal domain member servers, but the IIS server is accessed by both internal and external users. I'm specifying the connection string to the SQL database in web.config. The password is stored in web.config in plain text.
Is it possible to use "Integrated Security" for the connection string, or will that not work for external users? Im not entirely sure how this works. My thinking is that when specifying "Integrated Security" for the connection string, and then specify a domain user for the app pool (App Pool identity), IIS will go ahead and use that user to authenticate to SQL. Or will it? I basically dont want the credentials to be saved in plain text. What are my options? How could IIS securely pass the credentials without needing to spell it out in plain text within the connection string?