Sam, Surely one view to take on this is :
Apple have taken a decision to implement the IETF draft protocol that Microsoft use in IE and IIS. They have done this, but not correctly. If they are going to implement an IETF draft they should make their browser work the same way that IE works so that IIS cannot tell the difference ??? However, I do understand that an implementation with Mac OSX and IIS involves different security considerations, especially related to delegation, to an environment where 100% Microsoft platforms are involved (Windows, IE, IIS). Thanks, Tim. -----Original Message----- From: Sam Hartman [mailto:[EMAIL PROTECTED] Sent: 05 December 2003 16:53 To: Tim Alsop Cc: swbell; [EMAIL PROTECTED] Subject: Re: Macintosh Safari Browser and IIS with Kerberos >>>>> "Tim" == Tim Alsop <[EMAIL PROTECTED]> writes: Tim> In this particular example we have a Web application which Tim> needs user credentials to communicate with a back-end Tim> system. We are therefore able to control the use of Tim> credential forwarding within the scope of this Tim> application. However, the Safari browser does not appear to Tim> support the credential delegation capability that MS have Tim> implemented in IE/IIS. If the account principal used for IIS Tim> server is set to 'ok as delegate' in AD then a Safari browser Tim> is supposed to obtain a forwarded tgt from the KDC and pass Tim> to IIS server, but it is not doing this. Again, it is not clear that implementing this is a reasonable policy decision for Apple. How do they handle thiyngs in the non-AD case? My point is that Apple needs to distinguish your case from cases where forwarding is inappropriate. Doing so will require design and implementation work. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
