If your users log on to Windows on a domain controller of your infrastructure, you can use the Windows Integrated Authentication feature to prevent them from re-entering their login and password when they connect to your intranet, for example.
The SSO (Single Sign On) solution proposed here is based on an environment where users under Windows XP log on to an Active Directory / Windows Server 2003 domain controller, and connect to an Apache2 / PHP 5.2 Web server.
As long as the user is authenticated to the domain in Windows, the browser (Firefox, Internet Explorer or Safari) will attempt to pass and negotiate this identity with a web server that the user is connecting to.
This site must be in the trusted zone (IE) or in the list of sites for which this type of authentication is allowed (network.automatic-ntlm-auth.trusted-uris on Firefox)
This process is totally transparent for the user, and totally secure since no sensitive data, notably the password, is exchanged between the client browser and the server.