Kerberos support in Thunderbird

Jeffrey Hutzelman jhutz at cmu.edu
Mon Sep 12 13:39:56 EDT 2005


On Monday, September 12, 2005 15:13:27 +0000 Jeffrey Altman 
<jaltman2 at nyc.rr.com> wrote:

> This can end up causing some problems for end users.  It is entirely
> possible for the GSSAPI authentication to succeed and yet the user
> will be unable to access the mailbox they are attempting to reach
> because the principal used is not the one which has authorization for
> accessing the mailbox.

And yet, it is what nearly every Kerberized application in existance does, 
and it seems to work reasonably well.  I realize that you would like to see 
a better UI for client credential selection, but today, this is the best 
current practice.

That said, most mail software I've seen does allow the user to specify the 
authentication mechanism to use on a per-account basis.  That would seem to 
be appropriate here, as well.

-- Jeff


More information about the Kerberos mailing list