Starting in 10.2, ArcGIS for Server can function in a multiple domain forest. To support this, if enterprise users and built-in roles are used, the enterprise users are linked to roles based on username and domain name. For this reason, with GIS-tier authentication, both the Active Directory username and domain are needed when signing in to access secured services.
When 'Allow access to all users' is enabled, the username alone will work but the authenticated user will not be assigned to the corresponding role(s).
If your installation of ArcGIS Enterprise is internal only, you can add your GIS Server and Portal to your list of trusted sites in IE and achieve a single sign on solution where the browser will pass the current domain credentials to the web adaptor.
I was planning on setting up AD users with AGS roles and GIS tier. Any way to make it work with that configuration? The enterprise is available externally and users off network will be connecting using accounts in AD. If I go web tier and someone tries to connect who isn't on a computer connected to the domain do they get the normal ArcGIS authentication popup? This stuff really isn't clear in the AGS documentation.