We are working on a project where we are converting our client server
application to a n-tier model to make it more scalable. The question I
have here for the group is to see if I can get some ideas on how the
security should be implemented for this kind of architecture.

I am new to this n-tier world so I am looking for some guidance. Just
to give you an idea, basically the plan is to split the existing thick
client into three layers,  a thin client (C# using .net), a middle tier
consisting of business logic(C#. net) and SQL Server as the database.
In addition to this we will have some  web services which in turn will
talk to the application server and then to the database. The web
services will be written so that in the near future a web portal will
be created which will use  the web services to write and read data from
the database. So basically we are anticipating data from the thin
client which will primarily be the Customer Support representatives and
data from end users from the web.

My question is under this scenario what is the normal and standard
practice for authentication?

What methodology should be used for authenticating users to the thin
client?  Should each user be authenticated using the windows
authentication or should that be custom security. How should the users
coming from the web be authenticated.

Once the user is logged on through thin client do we need any security
when we do remoting to the business layer. How should the security at
the database be implemented, we would like to audit all the changes on
a user name basis. I have been reading quite a bit on security but I am
still confused what approach would be the best under the above
scenario.

Any help in this regard will be greatly appreciated. If there is any
white paper or website, or book that might help please feel free to
suggest we are in a time crunch to get this project completed.

Thanks