The documentation on dev2dev appears to change all the time and without notice. I run Google beta which caches all visited web pages and one of the documents for WL enterprise security has three different versions in my cache each with slightly different implementation instructions.

Anyway, I have implemented SSO using WL and AD using a third party Spnego identity asserter in the past and I presume the asserter which is now built in to sp4 works in the same way. You need to set up an active directory authenticator to enable weblogic to 'see' the users and roles in the AD domain.

When you access the protected web application from the client pc (the one in the AD domain) the url used has to contain the SPN name
eg where domainname is the SPN.
and not
I think this is what triggers IE to send the kerberos ticket during the negotiate step.

The order of the identity asserters (in the WL console) is important the SPNEGO one should be first and the AD one should be second and have a value of SUFFICIENT for the control flag.

I have done all of the above and it still doesn't work but I think that there should be a servlet to handle the kerberos negotiation. A previous version of the WLES documentation does mention a negotiate servlet but has since been removed. I have sent an email to one of the security gurus at BEA, but as I am out of the office all week I don't know if I have a reply.

I don't know if the above is of any use but I will post more info as I get it.