'active-auth-method' is actually not about a primary method. Let me explain.
There are active auth methods, which does require user input and activity (that's why they are called 'active').
And passive auth methods (Single Sign-On scenarios, mostly) where user/computer is considered as authenticated based on his previous activity. For example user log into 3rd party WiFi AP/controller, authenticate once via RADIUS server which tells about successful auth to FortiGate firewall. Once we have trustworthy confirmation and basic data about the user and his connection parameters like Framed-IP-Address (in RADIUS case) and/or port or VLAN assigned. We can allow such pre-authenticated traffic based on that knowledge. This is passive authentication. So user do NOT need to actively/manually authenticate again.
Therefore your kind of configuration is exactly what you were looking for.
FSSO as passive auth method is preferred. Once the connection cannot be authenticated based on previous knowledge, no record in 'diag debug auth fsso list' or 'diag firewall auth list', then we have to trigger active method and ask the user directly.
Mentioned NTLM is active as in default it will ask user. However web browsers can be configured to consider firewall as trusted and allow silent NTLM question/answer handshake between firewall and workstation. In this way it might look like passive authentication, as user might not get auth request, but web browser will sent his domain auth data to firewall which will use FSSO config to validate the data against DC.
For more details I'd suggest to check documentation and cookbooks at http://docs.fortinet.com
Tom xSilver, planet Earth, over and out!