I have to have more understanding about SSO on the web application against Active Directory.

For simply request the consumer the login to authenticate on AD, I understand will be able to apply certain libraries like Zend_Ldap, adLdap and so forth. However in this situation, the consumer still have to type the login two times. For instance: Authenticate against Active Directory/ISA from php

Afaik, to make use of SSO for transparent login, I have to implement an additional apache module. For instance: How do you use Microsoft AD and php single sign up web application?

Authenticate against ldap using PHP, active directory, while using the IE/Opera

First I have to know which apache module I have to use and why. In this short article for instance you will find three: mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. And also the thosed one was Apache2:AuthenNTLM

Within the question referred to over the recognized answer was for mod_auth_sspi.

When speaking about Active Directory I have got this answer, which describes active directory being an implementation of ldap + kerberos + "a couple of other miscellaneous odds and ends".

I am very unclear about each one of these names, since I have nerver labored by using it. Can someone clarify it in my experience? (ldap, kerberos, ntlm, sspi etc)

Finally, can someone point me to the way the application recognize the authenticated user (from AD). Could it be simply by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is distributed? So how exactly does the browser send this extra headers? Can there be any nearby configuration that should be completed in each workstation?

Single-Sign-On and Shared-Authentication are related, but different, concepts. I believe you might be confusing them. If you would like true SSO, try looking in to CAS.

LDAP and AD are methods for storing customers and organisation data. They aren't helpful for doing the particular authentication over web, but they are utilized behind an SSO (For example CAS), because the "database".

Authentication is really a confusing mess. Here's some background.

LDAP: LDAP is really a protocol for interacting user directory information. Additionally, it may handle authentication, but it's not seamless (SSO).

NTLM: NTLM is Microsoft's SSO included in IE, ActiveDirectory and IIS. The initial version of NTLM is extremely insecure so NTLMv2 was carried out to fix the safety issues in NTLM. The initial NTLM is disabled automatically in Home windows Vista and then.

Kerberos: Kerberos is definitely an open standard that's very secure and is made to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

So far as the modules you can use to implement these methods, you incorporated an excellent listing of them.

mod_ntlm: It is really an Apache module that operates on Linux and props up original NTLM (not NTLMv2).

mod_auth_kerb: It is really an Apache module that implements Kerberos.

mod_auth_sspi: It is really an Apache module for Home windows that props up original NTLM (not NTLMv2).

Apache2:AuthenNTLM: This can be a Perl module that handles NTLM. I'm not sure whether it supports NTLM and NTLMv2.

mod_auth_ntlm_winbind: It is really an Apache module that connects with Samba's authentication.