If you want to use Kerberos delegation to build a secure infrastructure (and YOU DO) vous devrez join those Web servers to le domain. The web server (or service account) will need le ability to delegate assigned to it in order to allow user impersonation against votre SQL server.
You proably want to stay away depuis using SQL-based authentication on le SQL server si you have tout auditing ou statutory requirements for tracking data access (HIPAA, SOX, etc.) Vous devriez be tracking access through votre provisioning process (i.e. who is in what groups, how that was approved, et by whom) et tous access to data should be through a user's assigned account.
For DMZ issues related to accessing the AD, you can resolve certains of that avec Server 2008 using a Read-Only DC (RODC) mais there is encore risk avec deploying into le DMZ. Il y a aussi certains ways to force a DC to use spécifique ports to punch through a firewall, mais this type of cutomization can make it difficult to troublehsoot authentication problems.
If you have spécifique needs to allow les deux Internet et Intranet users access to le même application you might need to look into using one of le Federeated Services products, soit le Microsoft offering ou something like Ping Federated.
