Thanks Bill .

In all the CTE examples i have seen, it shows that we need to enable DMS mode on Qlikview server.

What we have done is, created a website for our clients. The authentication for this website is handled separately by us using Web services. Once successfully logged in, we force the user to generate an OTP (Via registered email) and only on validation of the OTP, we request the Qlikview server for a Token.

The same user is already created as a local windows user on the Qlikview Extranet server. Now when we try to redirect to Access point, it says Login failed (With Web server Authentication set to NTLM or Header). The Authorization is set to DMS only.

We assume that once Qlikview has generated a token, it should automatically open access point when we call the AP URL

I did confirm QES allows DMS security mode, so you are good there, so the only thing of which I can think is you have a mismatch in the DMS Authorization and what the QVS Ticket is based upon, we have to have a string match there.  You should be able to see in the QVWS logs, if they are set to high verbosity, what the user is that is coming in I think, but may just show the ticket, but I would then also check QVS Event log to be sure you see the ticket being created there, and do not forget that tickets have a short life, couple of minutes, so if there is a lag in getting the ticket back to the user and them passing it back, it could be that the ticket has expired in which case the QVS Event log should state as much I believe. 

QES does support SSO as well, so in theory things should work, but something has to be out of sync here, hopefully this may give you a couple more things to check upon to see if you can spot what may be wrong. 

Regards,
Brett