I've already posted on the IIS forums and figured the following:
There are two ways to enable windows authentication on IIS:
system.web/authentication
This is ASP.NET specific and can only be configured per application (or more global). It can also only be one type of authentication for the whole application, so either it's all windows or all anonymous. This needs to be present if the identity object should be populated properly.
system.webServer/security/authentication
This has nothing to do with ASP.NET and can be configured on any location, ie. an application can mix authentication requirements based on location. The identity object of an ASP.NET app is not populated, but the user name is passed in server variables (not the user groups though, for obvious reasons).
I need the groups too, so what do you guys think is the easiest way to go from here? Request the groups manually? Is there a way to set up the identity automatically that allows mixed authentication that I've missed?