My company is trying to reduce the number of user IDs and passwords that a typical user need to access our applications to hopefully one. We refer to this as single sign-on. The idea is to have the user authenticate once at initial Windows sign-on to the Windows/Kerberos domain controller and have Kerberos issue a certificate or token to the user. Once the user has been authenticated a utility running on the PC would respond to any further ID/password requests using the certificate/token and not prompt the user for authentication again.
The challenge seems to be getting my PIX firewall and the ACS server to participate correctly in the process. For access control and accounting purposes the PIX is setup to authenticate HTTP users through the ACS server and the Windows domain controller. In the future when the PIX asks for authentication, the response will be something other than an ID/password.
Has anyone tackled this question yet?