Can we use AD-based client certificate authentication with IIS when the client computer is not a member of the domain?

Question

Scenario: We have a server located in a Windows Active Directory domain which implements a web service API, implemented with WCF and exposed via IIS 8 over HTTPS. The clients making requests to the web service are not located in the domain. However, they should be mapped to AD users via SSL client certificates. I.e., when making a HTTP request, they include a client certificate, and I want that certificate to be mapped to the corresponding AD user.

I know that IIS supports two ways of client certificate authentication, IIS Client Certificate Authentication and Client Certificate Authentication using Active Directory. I'd really like to use the AD approach in our scenario, as it makes the management of client certificates easier (we can map certificates to users in the AD rather than in the IIS configuration).

However, the docs linked above say that,

[Client Certificate Authentication using Active Directory] requires that the IIS 7 server and the client computer are members of an Active Directory domain [...]

This indicates that we cannot use this approach, since our client computers are not part of the AD domain. However, this doesn't really make sense to me. How would the server even know whether the client making an HTTPS request is in the same domain?

So, here's the question: Can we use Client Certificate Authentication using Active Directory with clients outside the AD domain or not?

Answer 1

We've now had the chance to implement and test our solution with a machine outside of the AD domain. Indeed, it works - the client computer does not have to be part of the domain, the documentation seems to be wrong here.