Simon Wilkinson simon at
Fri Jul 18 11:05:24 EDT 2008

On 18 Jul 2008, at 15:34, Michael B Allen wrote:
> As stated before this is completely false. These browser configuration
> options accept a domain name which makes all the configs the same.

Given that I wrote portions of this code, I'm entirely aware of what  
it can, and can't do. In situations where the KDC provides no control  
over delegation, you do not want every machine in your domain capable  
of accepting delegated credentials. The fact that the Firefox switch  
controls not just SPNEGO, but also NTLM authentication, means you  
have to be additionally cautious if you have a site with machines  
under multiple different managements under the same control.

> You
> do not need to specify explicit hostnames. AD will not give services
> TGTs unless the service account is flagged as "Trusted for
> delegation"

Not all KDCs implement this functionality. Not all sites use AD. The  
original poster explicitly " ... does not want to use AD in any  

While I'm here, I should also respond to:

> Then you have "SSO" solutions like OpenID which are really more like
> "triple sign on" since you have to login to your workstation, then to
> the OpenID service and then put in the OpenID service you're using at
> the target site.

This is not true. You can implement an OpenID solution which  
leverages your site's local authentication and a WebSSO mechanism  
such as Cosign, to allow single sign-on to appropriate OpenID  
services too (removing the final signon step requires that the  
service remember the OpenID you used when you last accessed the  
site). We have such a service in development.


More information about the Kerberos mailing list