Single Sign On

I want to create a web site that participates in my network’s active directory domain authentication. That is once the user is logged in to the domain though their desktop, then they are implicitly authenticated on the web site. However, if they are accessing the web site from a PC that is not logged in to the domain, then they would have to log in to the web site (authentication would happen using LDAP). I know how to do the second part. I don’t know how to know if the user is authenticated to an appropriate active directory domain, nor do I know how to access that domain authentication.

Can anyone help me with this?

Hm, that would come down to machine authentication by IP, wouldn’t it? That is certainly possible. But it sounds rather risky …