Authentication options?

I'm currently reviewing options for authentication of remote users as part of a web based portal (IIS). The user base will be up to few hundred. Requisite user data includes: username, password, surname, forenames, telephone, company, email, applications allowed etc. Password policy dictates that I should ensure passwords are changed every 30 days. Any system must also be managable via a web browser.

Ideas modelled so far:
> Script-level (ASP) protection supported by an Access database containing user accounts, passwords etc. Considered to be inadequate as applications include non-script content (e.g. Word documents images) which needs to be protected.
> Use of basic authentication. Creation/management of Windows user accounts/groups using ADSI (WinNT provider). Group permissions assigned to various application directories in wwwroot. Due to WinNT being non-extensible I created a parallel Access database to store requisite user data.

The ADSI solution I have devised works, however my concerns are as follows:
> Users are elevated to possess Windows accounts.
> Scalability/performance.
> Immediacy of updates.
> Unclear how to approach password refresh requirement.

Useful advice/recommendations would be greatfully recieved.

Regards,


Rob.

I wouldn't use Access for a website of any size. Access doesn't share well. Step up and use SQL server or even MySQL if you can't afford SQL server.

You can protect non web-based documents with a script level authentication system. Put the documents outside the web root and have the script initiate the download after validating the user.