SSO
Russ Allbery
rra at stanford.edu
Fri Jul 18 01:57:53 EDT 2008
"Michael B Allen" <ioplex at gmail.com> writes:
> If you read the whole thread you'd know I'm only talking about the
> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
> whereas with WebAuth you might need to.
You're making a bogus comparison. If you don't have to type in passwords
with SPNEGO Negotiate-Auth, you don't have to type in passwords with
WebAuth either; it can use SPNEGO Negotiate-Auth for initial
authentication. In the Negotiate-Auth case, the password handling is
exactly the same, which one would expect given that it's using exactly the
same protocol and mechanism. (Cosign I think requires the ticket cache on
the central login server, so does introduce the twist of delegation.)
The difference does not lie in SPNEGO handling; it lies in the
architectural complexity, in what the fallback looks like when
Negotiate-Auth doesn't work, and in the delegation and authentication
persistance model.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list