A couple of things:
In AD verify what the uses sAMAccountName property is. This is what's needed
for Domain\User syntax. user@domain depends on what the UPN property is set
to. Neither is strictly related to the user's name. I realise that this
maybe barking up the wrong tree, but we need to figure out why it's
Next thing - NTLM doesn't work through a lot of forward proxies. If you use
SSL - then the proxy shouldn't try to reproxy the data. Does everything
start working if you use HTTPS instead of HTTP?
Lastly, can you post the offending IIS log file entries. IN particular, we
need to see the HTTP status. substatus and Win32 values. Additionally,
enable "Logon failure auditing" on the server, and look in the server's
security event log for an event that details why the user's logon failed.