Setting a local password on your Orchestrator’s domain user’s record will allow you to authenticate with the domain user’s username. I don’t know if this is by design or a bug in the implementation, but I would consider it to not function as expected as it almost defeats the purpose of authenticating against AD as now there are two sets of credentials for the same user that need to manually be kept in sync which adds complexity to management of the users and security.
I’ve submitted a support ticket to see if this is by design, a flaw or on the roadmap to enhance functionality (assuming it hasn’t been changed in already released later versions).
With that in mind, I created an NTLM Token passing it into my Authorization header and calling an endpoint such as /odata/Jobs(123) and was able to successfully get a response using a domain user without having to call the /api/Account/Authenticate endpoint to get a Bearer token.
I still believe that the HTML Login form and API should be able accept the domain credentials along with local accounts, at the very least the documentation should be improved to reflect this.