Michael B Allen ioplex at
Fri Jul 18 10:34:30 EDT 2008

On Fri, Jul 18, 2008 at 5:28 AM, Simon Wilkinson <simon at> wrote:
> On 18 Jul 2008, at 06:57, Russ Allbery wrote:
>> "Michael B Allen" <ioplex at> writes:
>>> If you read the whole thread you'd know I'm only talking about the
>>> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at
>>> all
>>> whereas with WebAuth you might need to.
>> You're making a bogus comparison.
> Russ has pretty much covered the ground here, but I thought I should
> make some comments from our (Cosign based) perspective.
> SPNEGO is great in an all Windows environment, where you absolutely
> control every client that's authenticating to your system. It breaks
> down as soon as you add machines which are only loosely under your
> management control. As well as requiring that all clients have a
> properly configured Kerberos client, using SPNEGO with Firefox also
> requires browser configuration, which has to happen for every site
> that users may access, or delegate credentials to, and for every user.

As stated before this is completely false. These browser configuration
options accept a domain name which makes all the configs the same. You
do not need to specify explicit hostnames. AD will not give services
TGTs unless the service account is flagged as "Trusted for

> The only fly in the ointment here is that none of the WebSSO
> solutions currently available can handle authenticating POST
> requests, where the user hasn't previously authenticated to the
> service, due to their requirement for redirects. For us, this was a
> small price to pay.

SPNEGO handles authenticating POST just fine.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list