We tried to make something work with middleware but failed. Even tried to have a Kentico consultant help us, but we got nowhere. All we need is something that recognizes that the user is logged in via windows authentication and then take that users name and log them in as a Kentico user instead. We were able to figure out a workaround like I said, doing this when the user hits the access denied page that Kentico sends them to.
I think I have another workaround for the file stuff. Instead of linking to the getattachment we'll just link to the url of the page. Which will log the user in first. We'll probably take another look at setting up some sort of middleware as well if you have any thoughts on the best way to accomplish that.