Configurations I have used in the past are these:
- SQL Server on one server; SSRS native on another server. Users accessed reports via the SSRS Report Manager web UI that comes with SSRS.
- SQL Server on one server; SSRS install in SharePoint Hosting mode on another server. Users accessed reports via SharePoint.
I am not 100% sure what you mean by “web front end is the only destination for client browsers”. If you mean that the end user only hits a web server, and not the database server to get reports, then either one of the above will work. If you have an existing intranet site that you want to host reports in, you can do so via web parts, if you are using MS technologies. You will still need SSRS setup somewhere so you can deploy reports, and the web part would read from it. Or, you can continue the redirect to either Report Manager or SharePoint if you go that route.
As far as authentication: the authentication between SSRS and SQL Server is usually done via an AD (Active Directory) user/service account that SSRS runs under, and also has access to the databases is uses on the SQL Server.
The authentication that allows users to browse and execute reports is usually done via AD as well. You can add all users to a central AD group and give that group Browser permissions on the SSRS server. This authentication would still apply if you use web parts to host reports outside of SSRS Report Manager.
The authentication that SSRS uses to pull the data that ends up showing in reports is usually SQL Server authentication, or whatever authentication that your data source supports where you can send a user name and password (which is stored within a shares data source on SSRS).
More Info
