<hr /><i>ben added on 2011-07-21 12:03:27 UTC:</i><br />
One simple way of implementing this:

Fossil is set to use delegated authentication. This requires a shared secret and an "authentication URL". When a user asks to log on, fossil redirects to that authentication URL.

In this case, it'd be a script running on a Windows IIS server, which uses "Integrated Windows Authentication" to authenticate the user. If a user authenticates successfully, it SHA1-HMAC signs the username and current time with a shared secret, then redirects the user back to the fossil server.

The fossil server checks the signature is correct, the time is within a few seconds of the current time, and if so, logs the user on.