I want users, when they are in the workplace (e.g. on the LAN), to authenticate themselves with their regular username and password. Auto-login is disabled.

However - logging in from outside the LAN should trigger a 2-level authentication (like SMS, mail or similar). How can we get information about the users network when they try to log in to the application from outside the LAN?

NB - it does not matter if you have AD user and pwd. If you are on the outside you have to trigger the 2 level auth.

NB2 - we do not want any client-side scripts running, so this must be something coming with the initial request

Technology: IIS 7, ISA 2006, .Net 4, MS Sql 2008 server.

Question also asked here: https://serverfault.com/questions/354183/what-2-level-authentication-mechanism-is-available-that-can-differentiate-if-the

Information why ISA server remove the information I need: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php

If it's reasonable, don't expose your web server to anything outside of your LAN -- require VPN access.

If that isn't reasonable, you should be able to use the REMOTE_ADDR variable to determine the source of the request. Whitelist your LAN as single-factor and require everything else to be multi-factor. Depending on the scenario, the server variables will be similar to either

Context.Request.ServerVariables ["REMOTE_ADDR"]

or

Request.UserHostAddress()

If you have a proxy in the way, make the proxy tag the originating IP source in the headers and read the request headers to determine the external IP.