On Monday, September 12, 2005 15:13:27 +0000 Jeffrey Altman
<[EMAIL PROTECTED]> wrote:
This can end up causing some problems for end users. It is entirely
possible for the GSSAPI authentication to succeed and yet the user
will be unable to access the mailbox they are attempting to reach
because the principal used is not the one which has authorization for
accessing the mailbox.
And yet, it is what nearly every Kerberized application in existance does,
and it seems to work reasonably well. I realize that you would like to see
a better UI for client credential selection, but today, this is the best
current practice.
That said, most mail software I've seen does allow the user to specify the
authentication mechanism to use on a per-account basis. That would seem to
be appropriate here, as well.
-- Jeff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
