I've configured NTLM-Authentication,
but autologin doesn't work for the first request (from the second does it).
Liferay has it's own integrated Filter framework, managed by WEB-INF/liferay-web.xml.
Look at this file, all sso-filters are mapped to the url-pattern "/c/portal/login", because all request to secured sites were redirected to the login-path "/c/portal/login", if no user session exists.
But the first redirect has an additional path parameters ";jsessionid=...." at the end, because there are no session-cockies at this moment (according to URL-Rewriting at Java Servlet Spec).
The responsible method "isMatch" from "com.liferay.portal.kernel.servlet.filters.invoker.FilterMapping" doesn't consider any path parameter, so the url-pattern doen't match, all sso filters are not in the filter chain and autologin doesn't work.
From the second redirect it works, because now there are session-cookies and url-rewriting is no longer necessary. The sso filters are in the chain, autologin works perfectly.
So, if you remove all parameters from the path during filter mapping, it does from the first request (see attachment).