What I am trying to achieve is as documented here - http://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-authentication/FSAE.htm
All I need is NTLM auth to explicit proxy, no other SSO
Agentless NTLM support
Agentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller via SMB protocol (no agent is required).
Note that this authentication method is only supported for proxy policies.
Note that domain-controller is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.
config authentication scheme
set method ntlm
set domain-controller <dc-setting>
config user domain-controller
set ip-address <dc-ip>
set port <port> - default = 445
set domain-name <dns-name>
set ldap-server <name>