Using Active Directory to authenticate users on a WWW site

I am looking for a new web application that should be safe (if not for any other reason, at some point we will need PCI (Payment Card Industry) accreditation).

From previous experience working with PCI (in the domain), the preferred method is to use integrated Windows authentication, which is then completely transferred through the application to the database using kerberos (therefore, the NT user has permissions in the database). This allows you to improve auditing, as well as permissions at the facility level (i.e., the end user cannot read the credit card table).

There are advantages in that even if someone compromises the web server, they will not be able to get any additional information from the database. In addition, the web server does not store any database credentials (besides, perhaps, a simple anonymous user with very few permissions for a simple website configuration)

So now I'm watching a new web application that will be on the public Internet. One suggestion is to have an Active Directory server and create Windows accounts for each user on the site. These users will then be placed in the appropriate NT groups to determine what permissions they should have (and which pages they can get).

ASP.Net already provides an AD membership provider and a role provider, so this should be fairly simple to implement.

We have a number of issues: scalability, reliability, etc., and I was wondering if there was anyone with experience with this approach or, better yet, some good reasons why this is needed / don't do it.

Any input is appreciated.