IIS7.5 authentication to Sql Server 2008 r2 Login

I have what I thought would have been a pretty normal scenario...

I have a -WCF Client -WCF service hosted in AppFarbic within IIS7.5 -SQL Server 2008 r2

IIS is running using the App Pool Identity

I am connecting from the client using the following config file

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>     
      <client>            
            <endpoint 
                name="NetTcpBinding_IXXXService"
                address="net.tcp://app02.xx.com/XXXService/XXXService.svc"
                binding="netTcpBinding"                 
                contract="XXXClient.IXXXService">
                <identity>
                    <servicePrincipalName value="host/app02.xx.com" />                  
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration> 

IIS is running using the application pool identity.

I can get the service to connect to the database if I create a \$ login.

When using the application pool identity is this the only way of connecting to the database using Windows authentication?

I presume this is allowing the Network Service account on this machine to access the database. I also presume that this also means any service running as network can access the database?

Is there any of way of tying the appl开发者_JS百科ication pool identity to the database login?

EDIT: When I change the user of the App Pool to be another user with access to the database I get an SSPI failed error

Please forgive me for taking a stab at this when I am not familiar with WCF or AppFarbic. Though I do know a little about IIS and authentication to SQL server on different server.

1. Can you connect to the database if you use username-based security with a password?
2. What authentication method are you using on the web site?
3. If you are trying to use integrated Windows authentication and your web authentication method is also integrated, then you have to use Kerberos security in IIS to allow delegation for the "second hop" over the network to the SQL server. Regular NT security is not enough because it can only do impersonation, which doesn't allow this. Getting delegation to work can be a pain in the butt, but you have to examine the SPN you're using and make sure it's properly registered on the SQL server, plus mess around with IIS to make sure that Kerberos is enabled and actually working instead of it silently slipping back to NTLM. The web server also has to be "trusted for delegation" in the domain group policy (assuming your web server is joined to a domain).