Your first idea is great, you'll have to install Kerberos on your server and, if you are on linux, integrate Kerberos into your PAM Auth or into your Open-LDAP Auth.
It needs to create REALMs on the Kerberos, which are the realms for your users.
Later, when everything is working fine, you'll login on your OS and with the successful login you'll get a "ticket" in the Kerbers Ticket Granting Server.
So, now a user comes and log into the os, he has no ticket yet, so the answer of the successful login comes from the AUTH System of the OS, the ticket is created (initial auth request) and the user is logged in.
Your WebApp on the Applicationserver could be in another realm, but if there is a relationship between those two realms the user can browse to the WebApp and will be logged in automatically by Kerberos, because he is logged in currently and has a ticket in TGS.
Great, log in only once and use all applications around.