So I have almost given up on the redirect-thing, and George's fix (almost) works fine for us, as we are in an Intranet-only environment:

But how do I go about logging in as e.g. host-user now? When I click logout, it logs me right back in as my domain user..

If you have <add name="authentication"..../> uncommented in the <httpModules> section of your web.config and in the Authentication Settings you haven't narrowed down the autologin IP ranges then the provider is going to try to automatically login any external user who hits the site (something that won't work) and you're going to get an error page like you did.

If the site isn't in the Intranet or Trusted Sites list in your Internet Options they're going to get the Windows Popup.

So, the solution is, either comment out <add name="Authentication".../> in your web.config so that windowssignin.aspx isn't hit (however, internal users will have to manually login to the site) or set an IP Range in the settings for the provider that matches internal IP address but not an IP address that external users hit the site with.

I had a whole long post typed out and the forum decided to through an error and not post it so here goes again:

Here's how the AD provider works.

When <add name="Authentication".../> is uncommented it calls an httpModule where a redirect to WindowsSignin.aspx is called. WindowsSignin.aspx tries to pull in the users credentials off their computer (if the site is in the Intranet Sites or Trusted Sites list in the Internet Options in the Control Panel of the client computer the client see nothing otherwise they see the IIS Popup asking for their credentials). However, if they're an external user an IIS error page is thrown because it can't pull that information from their computer. If the line is commented then this whole process is bypassed as if the provider wasn't installed.

In version 01.00.00 of the AD Provider and versions prior to that (when it was part of the core code) the only way around that problem was to comment out the line in the web.config which meant that everyone had to login manually. However a number of users (myself included) would put links to WindowsSignin.aspx so that internal users could just click on the link and they'd be logged in. Unfortunately I discovered that a lot of people don't bother reading so I was getting calls from external users asking why they were getting an error when they clicked the link that plainly stated to only follow the link if you were on a campus computer.

So for version 01.00.03 I added the Auto-Login textbox to the settings. In that textbox you can put a range of IP addresses (eg: 192.168.0.1 - 192.168.0.255) so that if the computer has an IP address that falls in that range (eg: 192.168.0.50) it will attempt to auto-login (follow the redirect to WindowsSignin.aspx) when <add name="Authentication".../> is uncommented. If the computer's IP was outside of the range (142.179.215.255) then the redirect to WindowsSignin.aspx is bypassed. The internal IPs on your network should be in the Private Network range of IP address (http://en.wikipedia.org/wiki/IP_address) and external users "should" be hitting your site with non-Private Network IP addresses. I put should in quotations because there may be a device on your network that redirects to your webserver so that it appears to be coming from an internal IP. If that's the case then you just make sure that IP isn't in your Auto-Login IP range (Your network guys should be able to help you out with this).

I hope this clears up any confusion for you. If not then post back and I'll try to answer your questions.