Windows Authentication, Windows Server 2016 (or any version really)
When this is turned on in IIS10 this just authenticates against Active Directory, the user does not necessarily need to be a user on the server that IIS is sitting on right ?
Sorry for the dumb question
this just authenticates against Active Directory
Yes and no. It's called "Windows Authentication" and not "Active Directory Authentication" for a reason. It allows the website to authenticate any account that the server is capable of authenticating.
If the server is joined to a domain, then that can be an Active Directory account on the same domain or on any domain that domain trusts.
But it can also be a local account that only exists on the server itself - and that is true whether or not the server is joined to an AD domain.