Kerberos for windows support in Mozilla

Sam Hartman hartmans at MIT.EDU
Wed Feb 2 13:52:45 EST 2005

>>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at> writes:

    Wyllys> Sam Hartman wrote:
    >> I'd like to echo Doug's comments.  I'm actually not at all sure
    >> you'd want the default to be SSPI if you find a new enough KFW.
    >> The intent is that KFW will pick up SSPI credentials if
    >> necessary/desirable.  I don't know that we are there yet but
    >> should be soon.

    Wyllys> If KfW were able to pick up SSPI creds then that would be
    Wyllys> very nice indeed.  Then it wouldn't make a difference to
    Wyllys> the user what was happening under the covers.

KFW can pick up SSPI creds today and that works quite well.  What I'm
not sure about is whether its default configuration will do the right
thing in enough of the situations that I could recommend using KFW if
you find it.

    Wyllys> As far as the default goes, I still think that SSPI has to
    Wyllys> be the default since it is going to be available 100% of
    Wyllys> the time (for Win2K and above, obviously).  KfW is not.

Our argument is that you want things to work for most users regardless
of what they do.

When configured properly KFW will either pick up credentials from SSPI
or from its own cache depending on what the user has selected.  I
believe it is possible to get KFW working well enough that its default
configuration will work in any situation where SSPI works.  IN
addition, I believe that it will work in several situations where SSPI
does not work.

So, I'd like to get to a point where I can convince you that the right
thing to do is to try to find KFW and if it is present use it by
default.  If it is not present or if the user has explicitly selected
against it then use SSPI.  In order for me to try and convince you of
that, KFW needs to work in all (or almost all) situations where SSPI

    >> We'd be happy to show you how to make this be a runtime option.
    >> We'd

    Wyllys> I think making it a run-time option is really the key
    Wyllys> thing because I doubt that anyone wants to maintain
    Wyllys> multiple windows binary distributions and ask the users to
    Wyllys> choose "do you want the one that uses Kerberos-for-Windows
    Wyllys> or SSPI?".  The average user (or even administrator) will
    Wyllys> have no idea what it means to choose one or the other.

Sure; it needs to be runtime.

More information about the Kerberos mailing list