I have been asked to comment on approaches to "single sign on" for our new

Previous developers have given a bad impression of cookies to the decision

As part of my answer I am defining the separate parts e.g. creating a
directory of users (yes IDM2 gets a mention !) as well as the seamless
browser authentication side.

Naturally one party suggests using the "Integrated Windows Authentication"
that is part of Internet Explorer. Sigh...

After much reading, it would seem that even Microsoft's own products won't
proxy Kerebos (they assume the ticketing server is local), and NTLM is the
fallback. Shame it reauthenticates for every connection. Shame I can't
guarantee every proxy on the Internet will support it...(well maybe not).

Saving the user credentials at the browser level will most likely not be
acceptable - we need some pass-through authentication of the local logged
in user's credentials.

Ideally the solution will not be OS or browser specific. At the least I am
trying not to lock into Internet Explorer !

QUESTION 1: What does BM support ? NTLM, Kerebos, Basic (obviously !),
Digest, etc. ?

QUESTION 2: I am happy to use Basic or (preferably) digest authentication -
but how do I get the web browser to send the current logged in user
credentials ?

All suggestions appreciated.