I know 2 ways a web application can do Windows Authentication :
First one : with IIS, if the page is stored in a directory with restricted access (using NTFS access rights for example), the client will be prompted to enter login and password.
The server will receive those (encrypted or not, depending of the IIS configuration) and the ASP.NET object will be called using those credentials (if access granted).
Second one : no server right management, every thing done in the application. In this case, the application may call the Windows function to login to an other account (like in impersonation)
extern static bool LogonUser(string username, string password, string domain, UInt32 LogonType, UInt32 LogonProvider, ref IntPtr hToken);
Then you can use the System.Security.Principal.WindowsIdentity to manage the account in C# and do the impersonate if necessary.