How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?

All you need is the mod_auth_sspi Apache module.

Sample configuration:

AuthType SSPISSPIAuth OnSSPIAuthoritative OnSSPIDomain mydomain# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!SSPIOfferBasic On# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user nameSSPIOmitDomain On# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitiveSSPIUsernameCase LowerAuthName "Some text to prompt for domain credentials"Require valid-user

And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.

I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)

As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.

I had a similar problem which I needed to solve for my organization.

I was looking into using adLDAP.

There is some documentation on the site for achieving seamless authentication with Active Directory too.