On 18 Jul 2008, at 15:34, Michael B Allen wrote:
> As stated before this is completely false. These browser configuration
> options accept a domain name which makes all the configs the same.

Given that I wrote portions of this code, I'm entirely aware of what
it can, and can't do. In situations where the KDC provides no control
over delegation, you do not want every machine in your domain capable
of accepting delegated credentials. The fact that the Firefox switch
controls not just SPNEGO, but also NTLM authentication, means you
have to be additionally cautious if you have a site with machines
under multiple different managements under the same control.

> You
> do not need to specify explicit hostnames. AD will not give services
> TGTs unless the service account is flagged as "Trusted for
> delegation"

Not all KDCs implement this functionality. Not all sites use AD. The
original poster explicitly " ... does not want to use AD in any

While I'm here, I should also respond to:

> Then you have "SSO" solutions like OpenID which are really more like
> "triple sign on" since you have to login to your workstation, then to
> the OpenID service and then put in the OpenID service you're using at
> the target site.

This is not true. You can implement an OpenID solution which
leverages your site's local authentication and a WebSSO mechanism
such as Cosign, to allow single sign-on to appropriate OpenID
services too (removing the final signon step requires that the
service remember the OpenID you used when you last accessed the
site). We have such a service in development.