Damon Rand <[EMAIL PROTECTED]> writes: > Is the clientside solution fundamentally flawed in the extranet sense? > I was under the impression that the client workstation had to be logged > into the same domain as the server.. ie. If a web user was logged into > the ACME domain from their ACME workstation then they can't come to my > site and use SPNEGO (or SASL?) protocol to login into my website > authenticated against the BAMBI domain?
In theory, it's very much possible to obtain Kerberos tickets from multiple realms at the same time and manage them appropriately. In practice, very little software actually does this properly and given the presence of kiosk machines and the like, solutions that require any action external to the web browser are of dubious usefulness, at least currently. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
