Yes, you need certificates if you are going to secure your password across the wire. However, you don’t need to use a certificate through a well-known CA, such as Verisign for your purposes.
You can create and approve your own certificates locally using Certificate Services installed on Windows Server 2003. Inform the users that the certificate will issue a warning because it’s not from one of the public CAs. Once they get the error and allow the certificate, they would log on encrypted over HTTPS.
You can also restrict the logon process only to use HTTPS or the entire site, if you desire.