Customer had an IIS web server hosting the intranet, and it was setup with both Integrated Auth and Basic Auth to allow access.
The web server had been setup in NAM as a protected resource to use for outside users.
Access Manager user store was Active Directory.
The back-end application expected to receive "domain\user" in the authentication header.
An Identity Injection policy was setup with the LDAP Attribute SAMAccountName to be injected into the authentication header.
This didn't work, the web server still popped up with a basic auth box to provide credentials.
In this case the back-end application needed to be changed to either to not expect the domain or to use an alternative for authentication like User Principal Name.