Kerberos for windows support in Mozilla

Wyllys Ingersoll wyllys.ingersoll at
Wed Feb 2 13:32:02 EST 2005

I am not opposed to having KfW support in mozilla for Windows.
I was mostly questioning the level of demand and it's applicability.

IMO, most sites that want the SPNEGO auth feature, probably
want it to access their IIS web servers.   This sort of implies that
they already have an AD infrastructure and would not benefit much
from using a non-SSPI interface.

Of course, there are places that have standardized on Apache
and are using one of the mod_auth_krb5 variants that
are out there, and they would be the ones who want KfW GSS
support instead of SSPI.

I do understand there are situations where this would be
useful, but I would guess that compared to the general
Mozilla (on Windows) user community, the number of people
who really *need* KfW is small.

But, hey, if someone wants to contribute patches to make it possible
to build a KfW-enabled version, go for it.   Mozilla is open source,
anyone can update it and try to get it accepted into the main
source tree.


Tim Alsop wrote:

>I would be interested to discuss with somebody the possibility of
>Mozilla being able to use the CyberSafe GSS-API library on Windows as
>well as the MIT GSS, and perhaps (for completeness) the Hiemdal GSS
>library as well... From our perspective I can see a need for this
>functionality - as you mentioned, sometimes the workstation does not
>have access to AD, or is part of a non-Microsoft Kerberos realm etc.
>Regards, Tim. 
>-----Original Message-----
>From: kerberos-bounces at [mailto:kerberos-bounces at] On
>Behalf Of Douglas E. Engert
>Sent: 02 February 2005 17:46
>To: Wyllys Ingersoll; 'kerberos at'
>Subject: Kerberos for windows support in Mozilla
>I saw your response to the bug report suggesting adding KfW support to
>Mozilla for Windows.
>I think this would be a great idea, and people in the Kerberos community
>would agree as well, and express their comments as well.
>There are many windows machines that are not in a domain, or are on
>travel and can not access the AD or are part of a Kerberos realm at all
>yet the user would like to use Kerberos to access a web services.
>These might even be now Windows servers that support SPNEGO line Apache.
>Please reconsider your coments.

More information about the Kerberos mailing list