I have InterBase 6 running on Windows (but it might also run on Linux, depends what the client wants), COM+ application server and the client applications. Client apps are connecting to COM+ appserver using DCOM and COM+ appserver connects to the database using dbExpress components. The question is, how can I establish three layer user authentication? Meaning that the username and password would get validated on the client, appserver and in the database. I looked up about the COM+ security and authentication but this requires all users to be also in the Windows user accounts, so it's no good. One option is to send the username and password from client to appserver on every call, but this is a bit dumb (atleast it sounds dumb to me).
What would be the simplest and best way to do authentication?