Using Login Page to trigger NTLM Authentication with server

If I may add, server side "SSO" NTLM is the client side of an NTLM challenge-response negotiation. If you notice in an NTLM profile, you have "Credentials Source" session variables - one for username, one for password, and one for domain. So basically the way it works, somewhere in the access policy you have to populate these session variables with valid user/password/domain values. When you get to the Allow block in the visual policy, the SSO is triggered. For NTLM specifically, an initial request is sent for which the server should send back a 401 Unauthorized response. This starts the challenge-response. The server sends some information in its 401 response and the client encrypts that value with its password and sends it back to the server to indicate it knows the password. In David's visual policy, you see an SSO Credential Mapping agent. When you enter a password into a Logon Page, that password is stored encrypted in the session.logon.last.password session variable. When you use an SSO that requires access to the user's password (ie. NTLM, Basic, Forms), the SSO Credential Mapping agent at the end of the visual policy is responsible for pulling a cleartext copy of the password into another session variable for use in the SSO profile: session.sso.token.last.password. How you populate those NTLM SSO source session variables is completely arbitrary, but as you can see a logon page is a common use case.