We have enabled single sign-on using NTLM for Service Catalog as per the documentation, but it doesn't work for all users.
When configuring single sign-on using NTLM for Catalog users, EEM has to be configured to use a Windows domain. Some users log in to Windows using this domain while some log in to a sub domain.
All users must log in to Windows using the same domain as the one which is configured as the user store in EEM. If users log in to another domain, even a sub domain of the main domain, single sign-on will not work.
The information in this article has been included in our product documentation. You can find further details here: