Michael Ströder michael at
Fri Jul 18 12:03:55 EDT 2008

Simon Wilkinson wrote:
> On 18 Jul 2008, at 12:13, Michael Ströder wrote:
>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
>> it's just a service ticket.
> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the 
> deleg_creds flag when calling into the API, then a TGT will be included.

Which entity has to set this flag when calling into the API? The web 
browser or the web server?

My goal when doing SSO for web applications is that I don't trust the 
web applications so much not to reveal the user's credentials.

Ciao, Michael.

More information about the Kerberos mailing list