Our client's network has three AD forests - myorg.ac.uk, ad.myorg.ac.uk, students.myorg.ac.uk. Staff accounts are in the staff.ad.myorg.uk domain. Student accounts are in the students.myorg.ac.uk root domain. Moodle runs on Windows Server 2008 / IIS and is a member of the resource.myorg.ac.uk domain. The resource domain trusts the students and staff.ad domains. They are currently running Moodle 1.9, and have modified the LDAP plugin so that two instances are installed for authenticating against the staff and student domains.
The client wants to upgrade to Moodle 2.5 and implement true SSO. Any suggestions as to the best way to go about this?
I've never tried it with several forests, only with several domains in the same forests, so it might or might not work. The trick is using a global catalog server as the LDAP server Moodle uses, and query the Global Catalog service instead of the LDAP service. See http://docs.moodle.org/26/en/LDAP_authentication#Using_a_multi-domain_AD_environment for some details.
I've never used NTLM SSO with a setup like that, so I can't say whether it'll work or not. To start with, NTLM doesn't work if you have users with the same sAMAccountName in different domains, as it's unable to tell them appart (doesn't use the domain part at all). You could overcome this using SSPI/Kerberos instead of NTLM, but the setup is a bit more complicated.
A second option worth exploring is using the SAML authentication plugin against ADFS. I've never used it myself, but several people in the forums have talked about its possibilities.
A third option is keeping the same strategy your client is using right now: have several LDAP auth plugins, each querying a different LDAP server. There's a patch to the standard LDAP auth plugin (maintained by me) to do this. I currently have versions of the patch for Moodle 2.2 onwards. I publish new or updated versions from time to time in a forum discussion here at Moodle.org. If you don't find it or don't find the version you need, feel free to send me a private messege here on Moodle.org.
Can you please send me a link to your LDAP patch?
this (looong) forum thread contains links to the different available versions of the patch: https://moodle.org/mod/forum/discuss.php?d=74279
Make sure you use the matching version for your Moodle version.
If your you or your client has Shibboleth experience / an Identiy Provider (IdP - think of it as open source ADFS that doesn't require AD,if you're not familiar with it) or is willing to buy it in, then you could use that - it is certainly possible to have that work across multiple AD domains. It's basically a well-documented use of SAML.
You would then need to set something up on the IdP so that it can use Kerberos to do SSO using tokens from the user's desktop. And the Service Provider software on the server(s) running moodle - I've set up a couple of the SPs, and they are far easier than the IdPs to implement from scratch.