If you are using LDAP, users will always get prompted. This is a given (regardless if the user is on the domain).
If you are using a transparent setup, with the authentication server, then the users need to trust the MWG in order to perform integrated authentication.
For more information, review my section on the authentication server (for transparent setsup):
For the case of users in the DMZ, you should make sure that that traffic does not pass through the MWG.