What are “best practices” concerning error handling in an ASP.NET MVC2 web app that is DDD designed? For example, let’s take the most common aspect of a web app, the login:

• UserController: Obviously coordinates
  a few domain objects to eventually
  log in or refuse the user, and
  redirect to other parts of the web
  interface as needed. In my case, it’s
  a few calls to different UserTasks
  methods like IsLoggedIn() or LogIn(),
  plus some RedirectToAction.
• UserTasks: Has the meat of the work
  of coordinating relevant domain
  objects services, like
  SecurityService and lower domain
  objects, such as calling
  SecurityService.ValidateUser() or
  checking User.IsUserInactive().
• SecurityService: Obviously
  coordinates
  authentication/authorization
  services. Similar to a
  MembershipProvider, without the
  excess baggage.
• User: Represents the user. Not
  anemic, as it has various
  User-specific methods such as
  IsuUserInactive() that checks
  IsDeleted, IsLockedOut or if the user
  is between FromDt and ThruDt.

How do you bubble up errors such that they are informative and not hostile to users? Do you litter code with exceptions and then just handle them all in Application_Error()? For example, should ValidateUser() throw an ArgumentNullException() when password is empty and a AuthenticationException() when the password isn’t right, or return a bool = false? If the latter, how do you inform the user of what caused the validation to fail?