Russ Allbery rra at
Fri Jul 18 01:57:53 EDT 2008

"Michael B Allen" <ioplex at> writes:

> If you read the whole thread you'd know I'm only talking about the
> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
> whereas with WebAuth you might need to.

You're making a bogus comparison.  If you don't have to type in passwords
with SPNEGO Negotiate-Auth, you don't have to type in passwords with
WebAuth either; it can use SPNEGO Negotiate-Auth for initial
authentication.  In the Negotiate-Auth case, the password handling is
exactly the same, which one would expect given that it's using exactly the
same protocol and mechanism.  (Cosign I think requires the ticket cache on
the central login server, so does introduce the twist of delegation.)

The difference does not lie in SPNEGO handling; it lies in the
architectural complexity, in what the fallback looks like when
Negotiate-Auth doesn't work, and in the delegation and authentication
persistance model.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list