I would change your QlikView server to use DMS authentication - pushing the authentication to QlikView rather than NT.
Then, modify your ASP portal to make a call to the QvsComRemote.dll to authenticate the user (documented in the v9 QVS reference manual). The QvsComRemote generates a single use ticket which you then append to your URL. This ticket expires immediately if not used and is only valid for one session. Even if they copy the URL with the ticket again, it can't be re-used.