Security best practices in a public facing web application with AD authentication

Hello guys!

I need to set up a web application running on 2 loadbalanced IIS servers (NLB) that will interact with 2 SQL Servers in failover (active/passive) mode. Those servers will be sitting in a perimeter network behind a hardware firewall and then behind Forefront TMG (3-leg perimeter configuration) like this :

Internet <---> HW Firewall <-----> Forefront TMG <-----> LAN
                                                                 |
                                                                 |
                                                                 |
                                                      Perimeter (DMZ) : 2 IIS servers + 2 SQL servers

For a long time, I was hoping not being forced to domain joined my IIS servers because my TMG is domain joined then he would authenticate users and pass this creds to IIS..... But apparently, it's not that simple.

Oh yeah, didn't tell you what I wanted to do : I want my internal AD users to be able to login in this .NET web application and I need to get their login (DOMAIN\username or just username), and if possible, I want to take advantage of my existing AD security groups to apply security filtering in content access.

So, I did some researches and now I'm a bit lost among all the possibilities:

1. No AD DS in DMZ => local accounts => not what I want to do because my users need to authenticate using their existing AD account.
2. Isolated forest model => need to duplicate user accounts => no way
3. Extended corporate forest model with RODC in DMZ => sounds good
4. Forest trust model => looks interesting but maybe harder to implement than solution 3.

From these solutions, I tend to prefer solution 3 but I need to open some ports from my RODC to my RWDC in the LAN. So, here,I don't get how and why implementing RODC in DMZ is more secure than IIS servers domain-joined and communicating directly with my internal RWDC.... ?

Then, while searching an answer to this question, I found another solution : using AD LDS or using ADFS. But I'm totally not getting how I can use these technologies in order to authenticate my users and if it's more/less secure than RODC?

I would like to apologize for my english and I hope you can understand what I'm telling.

Thank you in advance for the time you will spend on answering me :)

BR,

Julien