I'm researching for a SingleSignOn solution for a 3 tier application.
In the moment the user has to log in many times:
1) MS Windows log on on the domain (Active directory)
2) Novell
3) Our Application
The Windows log on is required. Novell is not my problem how to configure it to reuse the Windows login.
Now I'm looking for a solution to reuse the authentication already done by the windows log on. Therefore it's my idea to use LDAP to authenticate against the AD (using the SID and ACL's I got from the Windows log on). Up to here I would not need LDAP but my problem starts in the middle tier of the application. This tier is a server-process (running on a separate machine) running under one specific user account (the same for all calling clients, DCOM object configured to use "this user" with no authentication and no impersonation). The middle tier connects to a database (the 3rd tier) using username/password from my own login dialog from my 1st tier. Now I want to avoid this additional login dialog in the first tier. Assuming my database supports authentification via LDAP, how can the DB know, which user logged in at the 1st tier (the clients machine)?
How does a LDAP Authentication work without having username and password but the SID and ACL's given by the Windows log on? Do I need to pass them to the middle tier? As strings? How to avoid that someone manipulates this strings?
Is there a better/more common solution to enabling SSO for a application?

Any help (hints, links, articles, ...) is welcome

Thanx Luenii