Is Kerberos a good solution for web-single signon

[paul b]

Hello,
I am currently developping a "web single signon"-system and I am
thinking about using Kerberos for this propose

The goal is that a user has to identify itself once, using a
X.509-certificate and that he has then access to a set of web-sites.
In addition, I have an LDAP tree that could be used for managing the
user rights.

I am not at 100% familiar with Kerberos, so I dont know if my idea
works:
I wanted to authenticate the user on the first connection using their
certificate. Based on the certificate, it should be possible to get
the user's Kerberos(username, REALM and password) information from the
LDAP-tree and pass this information to the Kerberos Authentication
server in order to get a ticket.

Is this scenario possible and if yes, will it be transparent to the
user(the best would be to authenticate the user only with its
certificate, but one password popup could be tolerable ;-)) and not to
hard to implement.

As I understood, users must login manually to the Kerberos-system
using Linux commands like "kinit",... and there is a lot of other
command that have to be typed by the user. Is that really necessary or
is it possible to "automize" this functions so that they are
transparent to the user?

Does kerberizing a web-site introduce big changes to the site itself,
can I interface Kerberos with the original login-functions or how does
this work??

Perhaps someone can tell me if Kerberos is really a good solution for
web-single signon(and fully transparent to end-users) or if there are
more simple possiblities like for example installing a "reverse
proxy"?

Could I, in later stages, also interface Kerberos with an SAP-server,
Citrix,...

Thanx
CB