I'm developing an application which is used by internal and external users. All users have accounts set up in our Active Directory, but only internal users log onto our network. External users access the site through a public-facing website.

I'd like to have them enter their AD credentials and have Kentico log them in the same as internal users (including creating users / roles for users that have not logged on before but exist in AD).

I've tried setting up Digest Authentication in IIS as described by http://support.microsoft.com/default.aspx?scid=kb;en-us;222028. This does force the pop-up dialog for logging in with the user's network credentials. However, the login only works if the user has previously been set up as a Kentico user. A user that has never logged into the Kentico site does not have their user info and roles imported into the system like a internal user does when using Integrated Windows authentication.

Can Digest Authentication be used with Kentico to authenticate external users against Active Directory, or do I need to look into writing a custom Forms login page that accesses AD and then programatically creates the Kentico user / roles?