Often times this is done using a combination of LDAP and NTLM. Browsers like IE and Firefox can do NTLM authentication, which I believe is how Sharepoint works. I run a Java-based portal application that uses LDAP for syncing users and NTLM for authentication.
What you absolutely do not want to do is have the user enter their domain username and password into the browser. In years past I've seen several projects using this approach with LDAP to authenticate Windows users. You're correct, it is a security concern. The user should enter his or her password only once: when logging in to the workstation. The last thing you want are passwords sitting around in cache / temp files.
I apologize that I can not provide a "here's how you do it with a PHP app" answer. As far as I know, there is no one answer to this problem.
(One thing I have done in the past, and I never really checked to see if it was valid or poor form, was to use PHP from IIS. If you're using IIS, then PHP will populate the server variable REMOTE_USER with the Windows user's username (DOMAIN\user). It worked for what I was doing at the time.)