What type of authentication have you configured at the web tier level? You should enable Windows Authentication so that you can use single sign on which eliminates the sign in screen altogether. The credentials are passed in from the user accessing the application.
All of our web applications are Public which removes the need for our users to sign into AGO to access our applications. We instead have chosen to secure all of our web services which call for credentials when an application is opened.
Are you using an unfederated ArcGIS Server, or is it federated to Portal? Your initial post indicates that you want your users to sign in with their Windows Domain credentials, indicating you're using AD. If you're using an unfederated ArcGIS Server, you can configure two web adaptors with ArcGIS Server. One will be used internally for users and can be configured with Windows Authentication to provide a single sign on experience. The other can be used externally to still allow access to unsecure services. Both can be external as well, but you'd want to be careful to create applications specific for the group of users accessing the application, (external users vs users with valid Windows credentials).
Our current setup is using an unfederated ArcGIS Server, but this will probably change in the future with the updates coming. Having two web adaptors would require two data stores and separate Server Managers to manage, correct?
No you can register two web adaptors with the same site and configure them with separate authentication methods. If people external to your network will still be using Windows credentials to access the services, then you'll need to install the second web adaptor so it's available externally as well. If the only time people will access the services will be when they're internal in your network, you can install the web adaptor on an internal web server.
Once you federate, I think you can still get away with two web adaptors, but you'll need to federate using the URL that people will use to access secure services, not the URL that will be used to access unsecure services.
Once you federate, I think you can still get away with two web adaptors, but you'll need to federate using the URL
Jonathan Quinn Sorry for the late reply....I'm jumping in here because Kyle might be referring to an unfederated Portal install as the upcoming changes for them. (correct me if I am wrong Kyle Crawford )
With Portal you can only have one web adapter.
I recommend not federating Portal/Sever if you want ArcGIS Server and two web adapters for controlling security thru ArcGIs Server (this is how we do it). Once you federate Portal, there is only one web adapter and all the security is run thru Portal (tht is my understanding).
....I don't think my comment helps at all with your original question