Javier Palacios javiplx at
Thu Jul 17 10:55:51 EDT 2008

>> I wanted to use Kerberos to authenticate the user.  After research, I
>> thought this would make sense.  I saw some suggestions using CoSign or
>> WebAuth.  I can't use WebAuth because it is only for Linux, and CoSign is
>> written for Apache (but there are ISAPI filters i guess for IIS) and I am
>> running off of Microsoft IIS.
>>  [...]
> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
> have SPNEGO built in, and can use the Kerberos in Active Directory.
> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any platform
> see the about:config and the network.negotiate-auth.trusted-uris option.

The main (and probably only) drawback of this method is that is all
about HTTP basic authentication, and most of applications only allow
some kind of cookie based auth.

You might want to look at PAPI (, it only
provides Web SSO, but I think is enough for you. Allows multiple
authentication backends, and although it is not packaged as default it
is possible to use Kerberos (actually, I tested it successfully
against a W3K domain controller).
On the authentication server side, as far as I remember it forces you
to use apache (but apache for Windows is OK).
And regarding the application side, the IIS might be a problem, except
if the code is PHP. But you can integrate it with Java (a tomcat
filter at least).

Hope this helps.

Javier Palacios

More information about the Kerberos mailing list