Ok, I've come a long way in my quest to authenticate WCF invokers against AD LDS, right now I have ActiveDirectoryMembershipProvider set up so that even the VS2010 Project/ASP.NET configuration tool allows me to create and edit AD LDS users, and does so using a Secure connection (so no username/password needed in web.config), so far so good, but now when I try to actually authenticate a user, I keep getting an authentication failure message, I strongly suspect this is because AD LDS is expecting the username in user@domain format, the domain is obvious if you are using Active Directory, but I'm using AD LDS, so what's the domain in this scenario? I really, really hope this is an obvious ADAM question because I'm almost there...