Frank, I have an almost identical installation.  Windows 2008 R2 Enterprise onthe java application server(s) running JBoss EAP 4.3.  Windows 2008 R2Standard on the Compute tier and Windows 2003 Enterprise on the metadataserver(s).  My metadata and web tiers are clustered for fail-over.  Ihave authentication configured to use Active Directory for my domain users andLDAP for my external users.  Actually the LDAP is Microsoft ADAM which isbuilt into Windows 2008.  My AD account are spread across three domains butall are within the same forest.  This is a simple configuration but inorder to work properly your users will need to login with two differentformats.  Internal users will login with domain\username and externalusers will login with username@domain.  The login manager looks at theformat of the login and decides which authentication provider to send therequest to.  I am using IIS7 as a reverse proxy load balancer with six (6)instances of JBoss on each web tier server.  I also have a cold sparecompute server that I have configured to impersonate the hot computeserver.  This requires the first server to be completely shut down beforethe cold spare is started but that way I have this machine configured the SASmetadata server hasn't complained about either server authenticating. There are a couple of gotchas in using JBoss.  SAS used to recommend usingJBoss GA (the free version).  We found out the hard way that this versionhas a bug that consumes all of the available network connections then stops servingweb pages. Something you may want to consider would be to replace the metadataauthentication providers entirely and switch to a JOSSO implementation. This will allow you to concurrently authenticate to SAS and IIS7.  Thebeauty of this solution is that your authentication provider handles passwordresets and you can delegate new user account creation.  JOSSO is a open source project.  Google it. Vic ... View more