The SSO is achieved by means of Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), which is a GSSAPI "pseudo mechanism" used to negotiate one of a number of possible real mechanisms. The negotiable sub-mechanisms include Windows NT LAN Manager (NTLM) and Kerberos, both of which are supported by Microsoft Active Directory.
Windows SSO can be implemented in a variety of ways, including via WebSphere® Application Server SPNEGO Trust Association Interceptor (TAI), Tivoli® Access Manager, or other third-party access managers.
In Lotus Connections 2.5, the Windows SSO support is built on WebSphere Application Server SPNEGO TAI. Figure 1 illustrates how the SPNEGO authentication is performed with WebSphere SPNEGO TAI (excerpted from the developerWorks article titled, "Administering the SPNEGO TAI: Tips on using Kerberos service principal names").