Hi Sam
The best answer for failoverr to HTML that I've seen is this style of one :
Windows IWA Failover to HTML Form Login.docx
It's not SPS just IIS agent and server however. Effectively the process is the .asp page only has permission to access the included xml resource if the user has valid NTLM credentials. If it does they are redirected to NTLM auth, otherwise they are redirected to the forms auth.
Previously, I've implemented a simpler method, but my jsp page would check the client IP address range - if you do need it on the SPS machine, you could do that and deploy the checking .jsp page in the tomcat engine.
Resource is protected by CheckIPAuthScheme
my jsp page that checks range, then redirects to the following, with handling to pass the query parameters accross.
Child Auth schemes with same level of protection as the CheckIPAuthScheme :
IWAAuthScheme
FORMAuthScheme
The trick is a forms auth is just a 302 redirect to a page, that page does not need to directly be the "auth" scheme it can just be a front end that then redirects to the real auth scheme.
Cheers - Mark
PS; Alsolooks like it is planned to be included in R12.7 :
IWA Login with Forms Fallback