Is it possible to mix all these access controls in one site?
I have a requirement saying
Now, ofcourse, i would like the site not to care about where a user was authenticated; just that he was.
What is the best way to achieve this?
I think that there is an answer from the man himself. Basically you should use the usual asp.net membership provider model. But create your own custom provider that wrap the active directory and the sql provider. Maybe two different active directory providers.
I did something like this on a project a while ago, and it worked like this:
I set the application to use Forms Authentication, with anonymous access enabled in IIS.
I created a standard Forms Authentication login page that accepted a user ID and password to do non-integrated logins.
I also made a special .aspx page for integrated security login and set ONLY that one page to use integrated security (and not anonymous access) in IIS. This page manually created a Forms Authentication ticket based on the credentials from IIS.
In the main Forms Authentication login page, I looked at the incoming address on the request to see if it was from the LAN, and if so, redirected to the integrated security login page (so the user did not get prompted for user ID and password, it just logged them in with integrated security).
I also made the Forms Authentication login page smart enough to determine, based on your user ID, if you were an AD user, and do an LDAP lookup against the AD if so to check your password. This enabled users who had AD accounts to log using their AD credentials even when not on the LAN (and thus not using integrated security). For non-AD users, verification was done against a separate list of user IDs and password hashes maintained by the application.