I'm using express-ntlm for authenticate my users on my app. For Mac OS, browsers ask for username and password and when a user insert a wrong password, it shows a page with a forbidden message. I overwrite forbidden function on my custom library so I can redirect users to the current URL so they can insert username and password again. For some reason this works on Chrome but not on Firefox or Safari, it just keep refreshing the page but doesn't prompt users for username and password. Looks like browser is storing the failed tried of log in and doesn't let you try again.
forbidden: function(req,res){
res
.status(401)
.send(`<!DOCTYPE html><html><head><body>
<h2>Login failed, Please try again.</h2></body></head>
<script>
window.setTimeout(function() {
window.location.href = '${req.url}';
}, 1000);
</script></html>`)
}
NTLM only makes sense, if you use it for SSO (without manually entering credentials).
In your case I would suggest you to create your own username/password form and then use some Active Directory / LDAP module to authenticate against the Domain Controller. If it succeeds the user will be logged in, otherwise you show an error and the user can try again.
You can also combine them and use
express-ntlmif a browser comes along that support NTLM (e.g. IE) and otherwise show a login form. In my opinion this would be the biggest benefit and best UX for your users.