"Michael B Allen" <[EMAIL PROTECTED]> writes: > On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <[EMAIL PROTECTED]> wrote:
>> If by "better" you mean "pretty much the same," yes, modulo the >> configuration note that I mentioned. > No, I definitely meant "better". > With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI > token and get a TGT. > With something like WebAuth, the client is redirected to a central > server, then you have to do all of the above (or an explicit login > which is more stuff) and then redirect the client back to the original > target (and this doesn't include getting a TGT on the target server). That's all very interesting and clients to a first approximation don't care. Speed through initial authentication is just not that high on the feature requirements list for most applications, as opposed to speed after initial authentication which is basically equivalent (well, Cosign's model to allow logout possibly has some issues). Absolutely, if you're in a situation where round trip minimization and speed to first authentication is absolutely critical, Negoiate-Auth is a simpler browser workflow. Of course, the main place where that's the case is over a WAN, which isn't the most common case for your intranet case, but the two do coincide from time to time. Also, both WebAuth and Cosign can provide specific credentials to the servers, not just either a TGT or nothing, but that's a whole different discussion. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
