Macintosh Safari Browser and IIS with Kerberos

[Tim Alsop]

Sam,

I agree that credentials should only be forwarded when needed and I also agree that the MS implementation of Kerberos gives less control over this than non-MS implementations of Kerberos. 

In this particular example we have a Web application which needs user credentials to communicate with a back-end system. We are therefore able to control the use of credential forwarding within the scope of this application. However, the Safari browser does not appear to support the credential delegation capability that MS have implemented in IE/IIS. If the account principal used for IIS server is set to 'ok as delegate' in AD then a Safari browser is supposed to obtain a forwarded tgt from the KDC and pass to IIS server, but it is not doing this.

I talked to Apple earlier today, but the person I spoke to doesn't appear to be very knowledgeable about this area of their products. I wondered if MIT were involved in the Kerberos enablement of Safari in any way ?

Thanks, Tim. 

-----Original Message-----
From: Sam Hartman [mailto:hartmans at mit.edu] 
Sent: 05 December 2003 16:06
To: Tim Alsop
Cc: swbell; kerberos at mit.edu
Subject: Re: Macintosh Safari Browser and IIS with Kerberos

>>>>> "Tim" == Tim Alsop <Tim.Alsop at CyberSafe.Ltd.UK> writes:

    Tim>    Sam,

    Tim>    I don't understand your comment about authorisation. Can
    Tim> you explain ?

    Tim>    Specially, what is the difference between using a Mac OSX
    Tim> client and a Windows client to access the same IIS server
    Tim> with credential delegation for a specific web application ?

First, I'm concerned that Microsoft may tend to forward credentials more than is ideal.

More importantly, I suspect that the OSX Kerberos support will be used in many wider environments than the IIS support.  All the machines in a Windows domain tend to be under relatively tight administrative control of a single organization.  That's not generally true of a Kerberos realm.