The article Colt mentioned appears to be using Forms Authentication only. While it uses APIs for validating Windows logins, it does not, in fact, use Windows Authentication. While some might think I am splitting hairs here, I think it is a big difference to use Forms Authentication throughout and actually use Forms sometimes and Windows Authentication sometimes. There is a way to do it and leave it truly separate. I created a sample to show you how to do this: 320105 The caveat to this example is that there is no preauthentication for IIS, so we need to know of a way to send the client to either Forms or Windows Authentication. The sample is based on IP addresses and takes the common scenario of allowing local lan ranges (usually non-routable addresses) to use Windows Authentication, while allowing Internet (routable) addresses to authenticate via Forms. This is not a tutorial on Forms Authentication - so you should be familiar with it before attempting to use.