The native client passes on the entered password to the server. If /vsmagent/single_signon is true, the password will then be available in the user session. However, the HTML5 client does not pass on the password.
Fixed in 27407.
Verified using SLED11 connected to a Win2008R2 AD with ThinLinc build 3960.
Works like expected.