Both Windows and Passport authentication are seldom practical for real-world Internet applications. Windows authentication is based on Windows accounts and NTFS ACL tokens and, as such, assumes that clients are connecting from Windows-equipped machines. Useful and effective in intranet and possibly in some extranet scenarios, Windows authentication is simply unrealistic in more common situations because the Web application users are required to have Windows accounts in the application's domain. The same conclusion applies to Passport authentication, although for different reasons. Passport is not free, requires the implementation of serious security measures (that are not free and that you don't necessarily need at all ...