Due to the way how we authenticate AD users in Orion we require the 'Allow Logon Localy' permission for the accounts that are used in Orion.
The partial workaround for this is to enable automatic login using Windows Authentication (it can be set in Web Console Setting). However this works only in situation when IIS does the authentication - the Orion login page is skipped then. Once you get to the Orion login page (either you logout or by timeout) you need to restart the browser so IIS can authenticate the account again."
So there should be two workarounds:
1) Add the accounts to "Allow log on locally" policy on Orion server. You can configure this policy in mmc - Local Computer Policy snap-in - Windows Settings\Security Settings\Local Policies\User Rights Assigment\Allow log on locally
2) Enable automatic login in Orion - this will only work if the authentication is done on IIS, and not in Orion. So it will only work in IE (but there is some browser setting that can allow it also for Firefox) and user needs to be logged under the same account to windows.
oh, for fire fox to work, type in about:config in the url field and add your orion host name in "network.automatic-ntlm-auth.trusted-uris" and now you can use pass-through auth in firefox!!!!! yea!!