Macintosh Safari Browser and IIS with Kerberos
Sam Hartman
hartmans at MIT.EDU
Fri Dec 5 11:53:28 EST 2003
>>>>> "Tim" == Tim Alsop <Tim.Alsop at CyberSafe.Ltd.UK> writes:
Tim> In this particular example we have a Web application which
Tim> needs user credentials to communicate with a back-end
Tim> system. We are therefore able to control the use of
Tim> credential forwarding within the scope of this
Tim> application. However, the Safari browser does not appear to
Tim> support the credential delegation capability that MS have
Tim> implemented in IE/IIS. If the account principal used for IIS
Tim> server is set to 'ok as delegate' in AD then a Safari browser
Tim> is supposed to obtain a forwarded tgt from the KDC and pass
Tim> to IIS server, but it is not doing this.
Again, it is not clear that implementing this is a reasonable policy
decision for Apple. How do they handle thiyngs in the non-AD case?
My point is that Apple needs to distinguish your case from cases where
forwarding is inappropriate. Doing so will require design and
implementation work.
More information about the Kerberos
mailing list