I'm confused on the authentication services, and the integration with STS. Can I use Digest Authentication, as opposed to Windows Authentication? The app has an ID and Password page to collect credentials, which are then used to a custom STS. The weird part is that they do this at the application level, as opposed to configure one of the authentication mechanisms. They have left the application open to anonymous authentication, and each endpoint then refers to the custom STS should the token not be present (!). I'm hoping to move this up to the IIS level, get IIS to handle the authentication/STS token exchange, and then pass it on to the actual application. I need to turn off Anonymous, but what do I use instead? Windows Authentication or Digest?
Thanks in advance for your help.