It automatically uses the Windows credentials of the current Windows session. Which in an IIS setting will be the user that is running the ApplicationPool. There are some tools to enable even further Controller actions in an MVC application, but in this scenario you are attempting to use Windows credentials for two different services, IIS and IceLib, and each are reading different users for their access. I offer two suggestions, but brighter minds may have others.
Manual Windows Authentication
IceLib allows users to manually enter their Windows credentials to generate a session with IC. To do this the "Allow Manual Windows Authentication Credentials" setting must be enabled in Admin, and the users will need to be mapped to their domain (which it sounds like is already done). You would have to display a login page for them to enter their domain credentials, but you could at least get the user and populate that for them so they only need to enter their password and station information. With this type of authentication, you will use the AlternateWindowsAuthSettings.
Proxy Authentication
There are also methods that allow proxy sessions to be created on behalf of users. You will need a user created with the "Allow Proxy Login" security setting. In your app, after you retrieve the user accessing the MVC, you would create a session using this Proxy user, and then use the ProxyAuthentication class to act on behalf of the user. With respect to interactions, I do not know if this would either require the user making calls to be setup with default stations, if it would require an already existing Desktop/Connect session, or if you could have the user enter a station and log them in. I have used ProxyAuth previously, but not with interactions.