Michael B Allen ioplex at
Thu Jul 17 22:16:43 EDT 2008

On Thu, Jul 17, 2008 at 9:52 PM, Christopher D. Clausen
<cclausen at> wrote:
>> With Plexcel we can do SPNEGO, check group membership (we extract the
>> group SIDs from the PAC), app-level access to basic user info and a
>> get TGT without talking to a third party at all. The time between the
>> initial HTTP request and the 200 response is less than 20 ms (or ~50
>> ms if the user is in a few hundred groups).
> The whole point of the central server is to keep end-users from typing
> passwords in at all the other random webservers.

If you read the whole thread you'd know I'm only talking about the
*IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
whereas with WebAuth you might need to. If you have a lot of clients
that cannot do SPNEGO then, yes, WebAuth and Cosign are better

> The point is that those hosting the server are not to be
> trusted with the end user passwords and the central server solves this
> problem.

That's not a problem if you're using AD since you have the "Account is
trusted for delegation" flag which is off by default. No one can setup
a service and lure people into giving up their TGTs. An admin has to
go into the account and flag it as trusted for delegation.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list