Based on your desire for Spark to auto launch/login, SSO is the way to go. However, configuring SSO with AD is definitely non-trivial. I just spent the better part of a day getting it working. When a domain user with proper access to the domain controller attempts to connect, no password is necessary.
Mac users not authenticated to your domain will still need to use a password. External users will also still need to use a password.
If you want to go down the SSO road, I'd recommend the document linked in this thread Re: desperately trying to get Windows SSO working with win2k8r2 and Win7. It was by far the best document. Feel free to PM me if you want me details on my experience getting SSO with AD working.