It is based on domains/workgroups, because that is the only way that the Windows login details can be safely verified.

Connections outside of a domain/workgroup would require something roughly...