Best way to deploy authentication on web services
 

Hi,

I'm building a distributed app that will be accessible to both domain
authenticated and forms-based authenticated users. I'm planning to have one
web server that holds the client app with 2 virtual directories. The
internal VD will have Windows Int. Auth. turned on. The other external one
will be accessed through a port forwarding situation through the firewall
with anonymous access checked, but users will have to enter a
username/password on a webform to access functions. In some cases the user
will be an internal user that's travelling and needs to get the same
functionality that they have on the intranet. In other cases, the user will
not exist in the Active Directory schema and will instead have credentials
stored in a SQL table or something. What I'm hoping to do is to take the
forms based info and bounce it off the Active Directory Server to see if
they're ok. If not, it'll then check an database table to see if they're ok.

The big question is: Is it possible to have one authentication scheme on the
"gatekeeper" web service that accepts either domain or forms credentials and
returns some sort of standard key/certificate/ticket/whatever it's called
that can then be stored in the user's session or cookie or something and
passed back to the web service to future calls? What's the best way to
accomplish this while maintaining best practices in an SOA situation where
there may be non-.NET resources accessing the web service? I'm also trying
to find the most secure solution so that hackers cannot steal someone else's
credentials.

I'm trying not to have to write two separate versions of both the web app
and the web service. Any help would be greatly appreciated!

Rob