This is a bit of a complicated question. SQL Server can be as secure as AD
for authentication, but it is incumbent on you to use best practices with
hashing password values (preferably with random salt) in order to make it as
secure. With AD it is easy since the hashing is done for you and it is easy
to secure the credentials on the network using Windows auth binds or SSL
over LDAP.

I think the bigger question ends up being how the user accounts will be
provisioned and maintained. It may be important to provide access to users
in your directory and have all the features that AD provides such as
password complexity and aging, automatic lockouts, etc. On the other hand,
you may not be able to add some of your users to Active Directory (if they
are external for example) due to security or licensing restrictions.

Another option to consider is to use ADAM as your user store or a hybrid
ADAM/AD approach. ADAM can be used to store users and authenticate them and
has groups which can be used to do role-based access control. ADAM can also
do pass through authentication to AD, so ADAM users would be authenticated
by ADAM, while AD users would have the authentication request forwarded to
AD.

HTH,

Joe K.

"chris" <anonymous@discussions.microsoft.com> wrote in message
news:C01A9477-2C6B-4C08-AEF9-5F9428EBA2EF@microsoft.com...
> Hi,
> I have an asp.net application that will be exposed to the internet to a
number of users. Should I use forms authentication with Active Directory or
SQL server? Which is more secure. The web server is on my LAN along with my
database. I used a NAT mapping to map the webserver to a public address.
>
> Thanks