I'm trying to find a happy medium with the Cloud service that allows me to authenticate everyone who can but not force it. If they don't provide credentials just give them the DEFAULT policy, but if they do I want to capture it.
In my testing it seems that Transparent NTLM only works if you have "Authenticate users on first access" checked. If I change it to "Authenticate only in these cases:" then NTLM does not occur anymore and user logs are no longer identified with their username. Is this by design or a bug?