I found this great article on authentication and authorization in .NET by Rockford Lhotka of Magenic Technologies. It touches on things like identities, principals and roles in both ASP.NET as well as in a Windows Forms application.