If the organization you are developing for does have a directory service, but you need to modify the schema. In those cases, I have relied on AD for authentication, and then additional attributes linking userIDs to permissions for authorization.
Is there an easy way to keep an ADAM and a real AD synced?
The answer is that there is a way, which is not without a price tag, and which can be easy or not-so-easy. Microsoft Identity Integration Server provides a means of keeping AD/AM and AD synchronized. It's dead easy to connect AD to MIIS, connect AD/AM to AD, and then specify how the value of properties of objects in AD are to flow to AD/AM and vice-versa (or not vice-versa if you want AD to be the master copy). What is also possible, but not quite as easy, is to provision into AD/AM users that exist in AD. To do that, one has to write rule extensions, which can be challenging. I'll cover those in subsequent posts.