This document discusses single sign-on authentication for Plone using Kerberos or Windows authentication. It describes how the netsight.windowsauthplugin allows Plone to authenticate users against Microsoft Active Directory without requiring separate username and password. The plugin uses Windows' SSPI API on Windows and MIT Kerberos libraries on other platforms. It then provides an example use case where it allowed users from two separate Active Directory domains to access a single Plone site without reauthenticating.