I'm pleased to announce an IAKERB implementation for MIT Kerberos: http://k5wiki.kerberos.org/wiki/Projects/IAKERB IAKERB allows clients that cannot reach a KDC to proxy credentials acquisition via a GSS exchange with a service. This should reduce the dependence on protocols such as NTLM and Digest outside the firewall. -- Luke