Kerberos for windows support in Mozilla

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Wed Feb 2 13:56:22 EST 2005

Comments below prefixed with Tim>

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of Wyllys Ingersoll
Sent: 02 February 2005 18:45
To: Sam Hartman
Cc: 'kerberos at'; Douglas E. Engert
Subject: Re: Kerberos for windows support in Mozilla

Sam Hartman wrote:

>I'd like to echo Doug's comments.  I'm actually not at all sure you'd 
>want the default to be SSPI if you find a new enough KFW.  The intent 
>is that KFW will pick up SSPI credentials if necessary/desirable.  I 
>don't know that we are there yet but should be soon.

If KfW were able to pick up SSPI creds then that would be very nice
Then it wouldn't make a difference to the user what was happening under
the covers.

Tim> The CyberSafe library already 'picks up SSPI creds' in this way,
and has done so for over 3 years. It is indeed very nice :-)

As far as the default goes, I still think that SSPI has to be the
default since it is going to be available 100% of the time (for Win2K
and above, obviously).
KfW is not.  

Tim> I agree. The mozilla product should use SSPI as the default and if
configured to do so it should use the GSS-API library provided by the
Kerberos product installed. There should be no MIT specific or Heimdal
or CyberSafe specific code in this interface because Mozilla should be
able to use standard GSS-API calls to setup the security context with
the web server.

>We'd be happy to show you how to make this be a runtime option.  We'd

I think making it a run-time option is really the key thing because I
doubt that anyone wants to maintain multiple windows binary
distributions and ask the users to choose "do you want the one that uses
Kerberos-for-Windows or SSPI?".
The average user (or even administrator) will have no idea what it means
to choose one or the other.

Tim> I agree. Runtime is the only solution that will be viable in my

Assuming the KfW GSSAPI interface is just like the Unix one, then I
think very little new code would have to be added since the Unix/Linux
builds already work with GSSAPI.  The fixes would mostly be to the
configuration and build environment.

Tim> Wonderful. So, question is : who is going to be first to make these
changes to Windows version ??? :-)


Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list