Here's a short-answer:
this is a problem that has already been solved. LDAP (a.k.a. OpenDirectory) and Kerberos are two typical methods that are used on an enterprise level. Their security characteristics are well-known, as are their
centralized system management tools. You can now "log in" (authenticate...) to any computer that you are authorized to use, and to access any internal web-site or application or what-have-you that you are authorized to use. The processes of both authentication and authorization are done
one way no matter who's doing it, and they're controlled in one way no matter what type of system is referring to it. Logging and auditing are also handled in a known and consistent way.
Both the design and the implementation were done openly, and by qualified experts in the field. Their work has been peer-reviewed and studied for years since; and it's still going on. You don't need to understand how the vehicle works in order to climb aboard.
If you've got 3,500+ users who need to hit 960 servers ... as one client of mine
does ... believe me, that's a big deal.
You don't
want to "roll your own solution" when there is
any security infrastructure available that you can hop-a-ride with instead.