Paul, I noticed today from SharpReader that you posted an article on MSDN regarding mixing of the two authentication types. I have previously visited this problem and came to slightly different conclusions than you. Its funny that you posted here, because I was just going to email you. If your intent is only to learn the user's login, then perhaps your method would work fine. However, I think it is missing the greater benefit of truly using Windows Authentication - and that is harnessing the power of Active Directory and your security groups. Correct me if I am wrong, but your solution is still just Forms Authentication, so you would lose all the automatic things that IIS does for Integrated Auth. Companies that have leveraged AD for all their employees want to continue to use it without wrapping it in some sort of Forms authentication. The most common case of this seems to be having an internal application that you want to also be available for partners on the internet. You would need to move all the information that you have stored in AD into some sort of cookie or other mechanism to start to use the roles-based framework again. Am I misinterpreting this article, or is there some simple way to continue to harness all the work that corporations have put into security groups and such?