A multi-tier application (client; Web server application, business rules, database perhaps on multiple computers) can be built which allows you to have accountability throughout. That is, you can record in audit records the user account that accessed the data (or as Microsoft says "flow and authenticated identity across multiple tiers"). This is not possible in all situations and must be carefully configured to ensure a secure installation and application operation. It is possible because Kerberos has delegation. In Kerberos the authentication credentials can be delegated to the use of the application and can be used to access remote data in the security context of the original user if the user account and computer are configured to allow this and the application is written to do so.
Windows 2000 or Windows Server 2003 are necessary and Windows Server 2003 is recommend. Since it provides protocol transition (the Web client does not have to be able to use Kerberos, just the servers), delegation can be constrained (limited to specific services such as database access). A number of white papers and other documents can help you both understand the process and provide examples. These will help you get started. How to implement Kerberos Delegation for WIndowsWindows 2000 and Microsoft Windows Server 2003: Kerberos Protocol Transition and Constrained Delegation.
This was first published in September 2004