Michael B Allen ioplex at
Fri Jul 18 17:36:59 EDT 2008

On Fri, Jul 18, 2008 at 12:03 PM, Michael Ströder <michael at> wrote:
> Simon Wilkinson wrote:
>> On 18 Jul 2008, at 12:13, Michael Ströder wrote:
>>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
>>> it's just a service ticket.
>> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the
>> deleg_creds flag when calling into the API, then a TGT will be included.
> Which entity has to set this flag when calling into the API? The web
> browser or the web server?

It's the client's responsibility to decide whether or not to include a
TGT. A client can always request a forwardable TGT in which case it
can be submitted to the web server. For example on Linux if you do
kinit -f principal at REALM and then point Firefox at an SPNEGO protected
page, and it has network.negotiate-auth.delegation-uris set to the
target domain, it will send the TGT.

However, if you're using Windows clients in an AD environment and the
HTTP service account has "Trusted for delegation" turned off, the TGT
will not be sent.

> My goal when doing SSO for web applications is that I don't trust the
> web applications so much not to reveal the user's credentials.

Your choices are based on necessity, not trust. If the web application
needs delegated credentials (e.g. to authenticate as the user with
another tier), then you need to send the TGT [1]. If the web app does
not need delegated credentials then configure your clients not to send
the TGT (in AD this means simply turning off the "Trusted for
delegation" flag on the HTTP service account).


[1] Kerberos provides other ways to limit how the TGT can be used and
to proxy service tickets and such but I don't think browsers have
support for such things yet.

Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list