Your assumption is correct. Your windows domain must be added and given permission in SQL Server for Integrated Security to work. As a best practise, you should always create a dedicated database user specifically for your app and apply principle of least privileges to that user. For example, you would want your application to insert, update and delete rows from tables, but you wouldn't want you app to DROP tables or DROP the entire database itself. As a matter of fact, I have seen production applications using the built-in 'sa' account to access the database, which is really a security issue. Creating a separate user and streamlining its access also protects your database from vulnerabilities in your applications like SQL injection attacks.