I have an ASP.Net application that I designed with integrated security,
including accessing SQL Server via group permissions.

In the production system the web server is in the DMZ with a firewall
between it and SQL Server. This makes Active Directory problematic because
it means opening a NetBIOS hole in the firewall, which means we might as
well not have a firewall.

I *think* without AD integrated security is problematic, if it can work at
all, right?

So - with this setup what are others doing for security? Simple forms-
based? or is there a solution I'm missing?

Thanks,
Philo