How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?

Authentication is a confusing mess. Here is some background.

• LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).

• NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.

• Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.

• mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).

• mod_auth_kerb: This is an Apache module that implements Kerberos.

• mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).

• Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.

• mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.

Single-Sign-On and Shared-Authentication are related, but different, concepts. I think you may be confusing them. If you want true SSO, look in to CAS.

LDAP and AD are protocols for storing users and organisation data. They are not useful for doing the actual authentication over web, but you can use them behind an SSO (Such as CAS), as the "database".