When Single Sign-On is enabled, users can connect to the web interface without entering the credentials of their application account. The user's domain account is used for authentication.
We recommend using Kerberos authentication because that mechanism is more secure. If you use NTLM authentication, hackers can gain access to user password hashes by intercepting network traffic.