You got it right, even Microsoft push for this approach on ASP.NET. One SQL account, hidden for the user, for doing the job, and a table of users maintained by your application. By preference use the same usernames as in the domain. In this way you can use role based security, maintained by the domain. This is the approach in the ASP.NET, but it could easily be extended for other client / server applications.