One of the interesting scenarios where you can use ADAM (Active Directory in Application Mode) is for extranet authentication. For external users, you create accounts in the ADAM store. For internal users, you can create a userProxy object for each of your internal users, and keep these proxy objects up to date using either MIIS or the Identity Integration Feature Pack for Microsoft Windows Server Active Directory. Using this approach, you can authenticate internal users while allowing them to use the same user name and password they use while inside the firewall, without having to poke a hole in your firewall to allow access to the corporate directory.

There is also a new framework for user management in ASP.NET 2.0 - the concept of membership, which uses a provider model. You can use the ActiveDirectoryMembershipProvider to point to an Active Directory internally. And, because ADAM is a subset of AD, you can also point this provider at ADAM, and it just works.

Except...

When you point the provider to an instance of ADAM and attempt to authenticate one of your proxy users, it fails.

Internally, the ActiveDirectoryMembershipProvider uses a DirectorySearcher to search, using the criteria ...(objectClass=user).... A proxy object is a different object class - userProxy.

So, if you want to use the membership framework for user proxy objects, you can either roll your own provider, or you can inherit from the ActiveDirectoryMembershipProvider to enable the use of object with an objectClass of userProxy.