Let me take a shot at it.
The first thing that can be very helpful to do is get into the CLI of the controller and configure:
logging level debug security
This will produce a huge amount of log output for security-related events, like authentication. Often you can tell what's going on by looking at "show log security 50" (shows the last 50 lines of the security log).
Second, yes, you should be prompted for a username/password the first time you connect. Assuming you've checked the box that says "Remember my credentials" then you shouldn't get prompted again. Make sure in the client configuration you have selected WPA2/Enterprise as the security scheme. For the network authentication, choose Microsoft: Protected EAP (PEAP). Inside the PEAP settings, choose EAP-Token for the Authentication Method. That should be all you need to get started. Assuming this is Windows 7, you may need to also click on the Advanced Settings button, select "Specify Authentication Mode", and choose "User authentication" - I have had mixed results with setting/not setting this.
Once it is all configured, you really should just have to tell Windows to connect to the wireless network. It should automatically attempt authentication, and should prompt you for credentials.
I'll warn you that 802.1X against an LDAP back end is not very common, so it's going to be a little tough to find people who know how this works. I would say 95% of our customers are using RADIUS.
Good luck!