>>>>> "Tim" == Tim Alsop <[EMAIL PROTECTED]> writes:
Tim> In this particular example we have a Web application which
Tim> needs user credentials to communicate with a back-end
Tim> system. We are therefore able to control the use of
Tim> credential forwarding within the scope of this
Tim> application. However, the Safari browser does not appear to
Tim> support the credential delegation capability that MS have
Tim> implemented in IE/IIS. If the account principal used for IIS
Tim> server is set to 'ok as delegate' in AD then a Safari browser
Tim> is supposed to obtain a forwarded tgt from the KDC and pass
Tim> to IIS server, but it is not doing this.
Again, it is not clear that implementing this is a reasonable policy
decision for Apple. How do they handle thiyngs in the non-AD case?
My point is that Apple needs to distinguish your case from cases where
forwarding is inappropriate. Doing so will require design and
implementation work.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
