First of all – and in case other users happen to visit this page – there are only certain authentication methods that allow you to do promptless SSO. These are NTLM and Kerberos. LDAP – on the other hand – will never give you promptless SSO.
NTLM is actually NTLMv1 and NTLMv2. These are very different and NTLMv1 is deprecated because of serious security issues. You should shy away from Java authentication solutions that fail to correctly identify if they support NTLMv1 or NTLMv2 because they only use the word “NTLM” in their documentation. Chances are the developer’s of said security solution don’t know themselves which is all the more reason to look for the fire escape.
Contrary to traditional belief both NTLMv1 and NTLMv2 are fully documented by Microsoft but you will still find solutions that claim to have ‘reverse engineered’ the protocol. It is true that this was needed prior to Microsoft documenting the protocols I believe around 2006 or 2007. Anyway NTLMv1 is a no-no. There’s nothing wrong with NTLMv2 per-se but Microsoft has been phasing out NTLM (in any form) in all of its products in favour of Kerberos authentication. NTLMv1 is long dead and NTLMv2 is now only used by Microsoft in cases where no Domain Controller is available. Bottom line: NTLM (in any form) is not really the way forward. We should actually salute Microsoft for taking a standards based approach here.
This leaves you with Kerberos. Microsoft has created a protocol for negotiating and transporting authentication information over HTTP. This is known in Microsoft products as “Integrated Windows Authentication” but it has been nailed down as an official standard under the name of SPNEGO. This is what you should be looking for. SPNEGO supports both NTLMv2 and Kerberos as the underlying authentication mechanism but for the above reasons you should be targeting Kerberos rather than NTLMv2.
I’ve successfully integrated several Tomcat applications (running on Linux/Solaris) with Active Directory using the SPNEGO Project at SourceForge. I’ve found this to be the simplest approach. This gives you promptless SSO similar to what for example a Sharepoint server does. This is most likely what your users will expect when talking about ‘SSO’. Getting the Kerberos configuration right, generating keys and setting up ‘dummy’ accounts in Active Directory can be a hassle but once you get it right it works like a charm.
The only thing I do not like about the SPNEGO Project at SourceForge is that I do not understand how often it performs the authentication. My nasty suspicion is that it does it for every page view rather than once for each session. Perhaps I’m wrong in this. Anyway: this highlights another thing to consider in SSO solutions: you don’t want to implement a solution that ‘spams’ your identity provider (say Active Directory) with unnecessary requests.