When admin attaches a local share as team folder, admin can enable the setting 'Always access the storage using the logged in user's identity'.
Once the setting is enabled, when AD user accesses the team folder, Centrestack will impersonate as the AD user and follow the share's NTFS permission directly. Centrestack can impersonate as the AD user because the user has already logged in with AD credentials. Thus Centrestack can user the user's token to impersonate.
When Single Sign On is enabled and AD user logs in via SSO, the authentication is done on the SSO. Centrestack does not have the AD user login credential. It can not impersonate as the AD user when access the share with the setting 'Always access the storage using the logged in user's identity' enabled. The AD user will not have permission to access the share.
To support the scenario, the latest Centrestack introduces a second login to domain, when the AD user logs in SSO. The second login to domain allows Centrestack to get the AD user's token, to impersonate as the AD user..
In some system, the tenant has no local share attached directly. There is no need to impersonate as the AD user to access those type of shares. Thus the second login is unnecessary. In that case, admin can enable the setting 'Skip Login for NTFS Permission', under Group Policy, SIngle SIgn On. Once the setting is enabled, when AD user logs in Centrestack via SSO, will not get the second login.