Kerberos protocol transition for linux?

[S2]

Hallo all!
In our small corporate we decided some time ago that in our intranet 
"all" (when possible) services we write should use kerberos to 
authenticate the users. This way we can have a central location to store 
all identities and we can propagate the user identity from service to 
service using forwardable tickets (well... this is what kerberos was 
designed for :)).
As it happens to be, some of our applications need to be accessed from 
the evil internet, and the users accessing them can't access our KDC to 
get a TGT, so we use Microsofts ISA server to make the transition from 
Forms Based authentication to kerberos tickets. Let me explain this part 
just to be sure we are talking about the same stuff: ISA shows the user a 
form asking for a username and a password, uses this credentials to get a 
TGT from the KDC and then uses that ticket to authenticate to the 
applications in our intranet on behalf of the user. ISA keeps a list of 
SSO-Cookie-Values and kerberos tokens, so it can talk cookies to the user 
and kerberos to the backend applications.
Now my question: is there something like this for linux? I just need this 
basic functionality, and I think I may be able to implement this myself 
in a few weeks, but I think such a critical application is better done as 
an open source app (more eyes ecc. ecc. ecc.).

Thank you for any pointers.