The SOAP and WS-Security formats, although very verbose when compared to RESTful implementations, have a much more advanced security model. They give the ability to override the authentication used within IIS (which uses Active Directory). By moving the credentials (username and password) from the HTTP headers into the XML of the message, one can use the UserNamePasswordValidator class to implement custom authentication.

Here's an article I wrote for the Next Generation User Group giving all the technical details.