I think that's how we had it. I added a link to the siteroot/login/ path on the homepage, then when you clicked that (and had NTLM Enabled = Yes set, and the right subnet mask - e.g. 10.0.0.0/8 if all your desktop's IP addresses start 10.) forefront kicked in. I had to adjust the moodle wwwroot in the config.php file to match what Forefront changed it to (in our case, testmoodle.srv.hull-college.ac.uk) and we had to add this hostname to internal DNS.
Remember to do tell IIS to require Windows Authentication on a certain file:
https://docs.moodle.org/24/en/NTLM_authentication (replace /24/ with the moodle version you have, e.g /25/ for moodle 2.5).