Jackson Shaw adds some interesting thoughts to the Virtual-Directory vs Directory debate here. He points out that the real lock-in comes with authentication:
And, finally, what’s the big deal about being “locked into AD”? Have people forgotten that AD *is* an LDAP directory? You get “locked into AD” when you use it for desktop authentication otherwise it’s just an LDAP directory with its own set of idiosyncrasies just like any other LDAP directory.
I would also add IIS Windows Integrated Authentication to that as well.
And this is a very interesting point. If you are using Windows Authentication for either the desktop or web login, the need to support multiple types of directories is greatly diminished.