Best practice authenticating vs windomain

I extended CBaseUserIdentity for authenticating vs a windowsdomain via $_SERVER[‘AUTH_USER’] in a intranet setup. What I dont know now is, when (or better where) I should call the authentication function.

This should normally be done in the beforeAction of a extended Controller, right? Any other suggestions?

Thank you in advance,