Which web browsers(s) have you tested with?
Within CA SDM, the Access Type for the users in question should have External Authentication flag set to ON. If External Authentication on the Access Type is not enabled, then xFlow cannot authenticate via NTLM.