Yet another approach is to use ASP.NET membership for authentication, link your User class to ASP.NET members, and use your User class for more granular permissions. We do this, because it allows changing authentication providers very easily, while still retaining the ability to have a complex permission system.
In general, it's worth remembering that authentication/identity and storing permissions are not necessarily the same problem.
