I have an ASP.NET website hosted on premises and only accessible by my company. I discovered that if I connect it to a server in the DMZ (open to the internet) even though the IIS folder is set to Windows authentication it still works in all devices, browsers prompt for username+password and users can use their windows account (even on iPhone).
I know everyone is now using ADFS with SAML to do that and my company does have ADFS open to the Internet I can use but why bothering? is my method less secure?