One of our customers wanted to authenticate users based on active directory, and we found that web browsers and web servers each usually have a "gssapi" plugin that can do the authentication based on current windows user. What we ended up doing was installing the gssapi plugin for apache, then doing a bunch of awkward kerberos ticket things for the linux server than ran apache, then have the gssapi plugin handle the entire http auth sequence and then hand a header to the perl app, So the perl app never needed to talk to active directory, it just reads a header in the request to know who is authenticated. (and be sure to configure apache to not allow that header to be supplied by the client!)

One disadvantage of that method is because it is HTTP auth, there is no way to log out. If they are logged in on the desktop they have access and if not they don't. If you wanted to control it from Perl, you would need to handle the http auth handshake on your own, using a plugin for whatever web framework you use, if one exists.

I'm also not sure if it is possible to get the browser to report the username without going through the full auth sequence.