Russ Allbery rra at
Fri Jul 18 01:43:04 EDT 2008

"Michael B Allen" <ioplex at> writes:
> On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <rra at> wrote:

>> If by "better" you mean "pretty much the same," yes, modulo the
>> configuration note that I mentioned.

> No, I definitely meant "better".

> With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI
> token and get a TGT.

> With something like WebAuth, the client is redirected to a central
> server, then you have to do all of the above (or an explicit login
> which is more stuff) and then redirect the client back to the original
> target (and this doesn't include getting a TGT on the target server).

That's all very interesting and clients to a first approximation don't
care.  Speed through initial authentication is just not that high on the
feature requirements list for most applications, as opposed to speed after
initial authentication which is basically equivalent (well, Cosign's model
to allow logout possibly has some issues).

Absolutely, if you're in a situation where round trip minimization and
speed to first authentication is absolutely critical, Negoiate-Auth is a
simpler browser workflow.  Of course, the main place where that's the case
is over a WAN, which isn't the most common case for your intranet case,
but the two do coincide from time to time.

Also, both WebAuth and Cosign can provide specific credentials to the
servers, not just either a TGT or nothing, but that's a whole different

Russ Allbery (rra at             <>

More information about the Kerberos mailing list