Single Sign-On Server Authentication in Ruby/Rack

I write and host web applications on Windows servers for intranet usage. My server stack uses Sinatra (which uses Rack), Thin, and (in some cases) Apache for reverse-proxying only.

I want to support Single Sign-on (using NTLM or Kerberos) within our ActiveDirectory-backed domain. I have seen that I can use mod_ntlm or mod_auth_kerb when I'm behind Apache to perform my NTLM authentication. I haven't tried this yet, but I assume it will work.

My question is about NTLM or Kerberos authentication when I'm not behind Apache, using only Thin and Sinatra. I've seen rack-ntlm, but the usage details there are exceedingly sparse.

Please provide known-working code under Sinatra or Rack that shows how to use NTLM or Kerberos on the server-side, authenticating with ActiveDirectory (presumably via net-ldap).

Edit: Emphasized the desired answers, as no answers so far come close to providing the explicit help this question is asking for. Users should be able to find this answer and have a working solution, not pointers to external libraries that they must figure out how to use.