Currently the FGT is setup with LDAP and I'm able to add admin users to the firewall for authentication for management.  Is there a way, if for example the FGT is 192.168.100.1, to have end users go to http://192.168.100.1 and sign in with their credentials on the FGT in tab 1 of their browser, and then launch tabs 2-5 for instance and the authentication credentials from tab 1 carry over?  So users don't have to authenticate for every website they visit.  I know about FSSO but that's not an option at this point (5 computers all logged in as admin but with 5 different users actively using the computers so it needs to be based on the person who's launching the browser).  I was thinking of enabling NTLM fallback for authentication on all the outbound policies but not sure that correct solution.  Also, how deep would nested groups be supported in this scenario?