Michael B Allen ioplex at
Thu Jul 17 21:32:24 EDT 2008

On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <rra at> wrote:
>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are
>> going to perform better.
> If by "better" you mean "pretty much the same," yes, modulo the
> configuration note that I mentioned.

No, I definitely meant "better".

With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI
token and get a TGT.

With something like WebAuth, the client is redirected to a central
server, then you have to do all of the above (or an explicit login
which is more stuff) and then redirect the client back to the original
target (and this doesn't include getting a TGT on the target server).

With Plexcel we can do SPNEGO, check group membership (we extract the
group SIDs from the PAC), app-level access to basic user info and a
get TGT without talking to a third party at all. The time between the
initial HTTP request and the 200 response is less than 20 ms (or ~50
ms if the user is in a few hundred groups).


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list