My understanding is that you have configured ACS Internal User accounts with Password Authentication against AD as follows:
Screenshot of User Setup for a specific account:
Now, you would like to configure the ACS to check the Enable Password authentication on the ASA for that same ACS Internal User account against AD. Access the ASA enable mode with the AD password as well. In that case you need to enable the TACACS+ features for the user account under Interface Configuration > TACACS+ (Cisco IOS) > and check "Advanced TACACS+ Features".
Go back to the ACS user account and scroll down to: TACACS+ Enable Password and select Windows Database option:
TACACS+ Outbound Password enables a AAA client to authenticate itself to another AAA client or end-user client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP and results in the ACS password being given out. By default, the user's ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password. Use this feature only if you are familiar with TACACS+ SendAuth/OutBound password.
For your specific scenario you can leave it blank. I just forgot to delete the default "dots" that the ACS adds to the user account.