Simple NTLM

NTLM SSO is pretty straight forward. It requires a username, password, and domain name as inputs, which are taken from session variables. If you look at an NTLMv2 SSO profile, you'll see a set of default session variables for these three values. You just need to make sure that your access policy populates these three values before the Allow block. The one trick here is that the logon page sets the session.logon.last.username and session.logon.last.password (and optionally the session.logon.last.domain) session variables, and stores the password in secure encrypted storage. To access that (decrypted) password at the SSO, you need the SSO Credential Mapping agent in the visual policy path, which natively creates the session.sso.token.last.username and session.sso.token.last.password variables that the SSO needs. So at a minimum,

Start -> Logon Page -> AD Auth -> SSO Credential Map -> Allow (SSO applied to the access policy)