I would like to see a simple, yet robust mechanism to ensure users cannot access an instance directly (i.e. via SSMS or whatever) when using Windows Integration. In other words, I would like to limit them to access through my front-end application only.

I've researched this before and the only options I could see were to use an application role (which has limitations), certificates (too complex?) or a logon trigger that checks what application the user is coming in using (not a particularly elegant solution in my opinion).

Surely the great minds at Microsoft could come up with a simple solution for this!