If the user attempting to login to the portal using windows authentication is on a different domain than the portal’s impersonated user, then in Internet Explorer, the user will receive a windows credential box popup that will not accept the user’s credentials.
A workaround for the issue is to use Chrome or Firefox to access the portal as neither one will care about the domain difference.
The issue may also be resolved by adding the Global Catalog port to the LDAP connection string in the web.config file. This is accomplished by adding :3268 to the end of the LDAP string.
Putting all users on the same domain is the best solution.