In our environment, yes. But we're using Cisco and/or Layer7 gateways which perform the authentication, so by the time it gets to the application server, it's on the internal network and trusted.
Alternately, you could pass a userid/password and some sort of Token string. Your server would look at the token and see if it passes a "sniff" test (too old? Zero length? Checksum bad? coming from wrong IP?) if it sniffs ok, it's ok. If it's not ok (typically blank), then use the userid/password to authenticate, generate a new token with a current timestamp, and use their IP addr (or something) to generate the new token. Maybe throw a GUID in there for uniqueness. If they don't have anything valid (token bad, userid/password missing), then send a challenge back, so they can re-submit with userid/password onboard.