Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
We faced a very similar problem. We eventually concluded that while integrated NTLM logon support in Internet Explorer and Firefox is convenient, there are so many exception cases which result in failure that we changed our approach.
The problem with integrated authentication is that it works only when the currently logged on username and password are still correct and properly authorized to access the resource.
There are more circumstances where it doesn't work however:
- If the username and/or password are incorrect, there's no way to use alternate credentials as you stated above
- If the account and/or password have expired or if the password is wrong, the browser will return an "unauthorized" message with no clue as to which of the problems it is
The approach we standardized on was to put up a username/password logon web page (in front of the application) which accepts the credentials. When the credentials are submitted, the application would in turn validate those credentials against the directory and then respond accordingly (in a .NET world you could use Forms Authentication http://msdn.microsoft.com/en-us/library/aa480476.aspx to force access to the application via this login page). Since the application is doing the credential validation, you get rich information as to the nature of the login failure. In addition, even if the login succeeds but there's relevant information to display to the user, e.g. their password will expire shortly, etc., this provides an opportunity to do so.
UPDATE: I forgot to mention that if you adopt this approach, you'll need to allow anonymous access to the IIS application root. This will allow access to the login web page without first attempting the automatic NTLM authentication. It's up to you whether you leave NTLM authentication enabled; perhaps you do want some clients to still automatically log in.