It depends on the app. Normally it's one user, with any security checks being done by a gatekeeper layer that talks to the repository, which then passes the user's login name through for auditing. This is more scalable as you then get a greater potential for connection pooling, as the connection strings are always the same.
However sometimes you need auditing at the database, for ease of administration, in which case it's pass-through authentication, assuming you configuration delegation correctly.
