Macintosh Safari Browser and IIS with Kerberos

[Tim Alsop]

Sam,

Surely one view to take on this is :

Apple have taken a decision to implement the IETF draft protocol that Microsoft use in IE and IIS. They have done this, but not correctly. If they are going to implement an IETF draft they should make their browser work the same way that IE works so that IIS cannot tell the difference ???

However, I do understand that an implementation with Mac OSX and IIS involves different security considerations, especially related to delegation, to an environment where 100% Microsoft platforms are involved (Windows, IE, IIS).

Thanks, Tim.

-----Original Message-----
From: Sam Hartman [mailto:hartmans at mit.edu] 
Sent: 05 December 2003 16:53
To: Tim Alsop
Cc: swbell; kerberos at mit.edu
Subject: Re: Macintosh Safari Browser and IIS with Kerberos

>>>>> "Tim" == Tim Alsop <Tim.Alsop at CyberSafe.Ltd.UK> writes:

    Tim>    In this particular example we have a Web application which
    Tim> needs user credentials to communicate with a back-end
    Tim> system. We are therefore able to control the use of
    Tim> credential forwarding within the scope of this
    Tim> application. However, the Safari browser does not appear to
    Tim> support the credential delegation capability that MS have
    Tim> implemented in IE/IIS. If the account principal used for IIS
    Tim> server is set to 'ok as delegate' in AD then a Safari browser
    Tim> is supposed to obtain a forwarded tgt from the KDC and pass
    Tim> to IIS server, but it is not doing this.

Again, it is not clear that implementing this is a reasonable policy decision for Apple.  How do they handle thiyngs in the non-AD case?

My point is that Apple needs to distinguish your case from cases where forwarding is inappropriate.  Doing so will require design and implementation work.