| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 12 Sep 2005 13:39:56 -0400 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Jeffrey Altman <jaltman2@nyc.rr.com>, kerberos@mit.edu Message-ID: <3613E5B5E0982CE7C94D545C@bistromath.pc.cs.cmu.edu> In-Reply-To: <rWgVe.31254$%w.4370@twister.nyc.rr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline cc: Jeffrey Hutzelman <jhutz@cmu.edu> Errors-To: kerberos-bounces@mit.edu On Monday, September 12, 2005 15:13:27 +0000 Jeffrey Altman <jaltman2@nyc.rr.com> wrote: > This can end up causing some problems for end users. It is entirely > possible for the GSSAPI authentication to succeed and yet the user > will be unable to access the mailbox they are attempting to reach > because the principal used is not the one which has authorization for > accessing the mailbox. And yet, it is what nearly every Kerberized application in existance does, and it seems to work reasonably well. I realize that you would like to see a better UI for client credential selection, but today, this is the best current practice. That said, most mail software I've seen does allow the user to specify the authentication mechanism to use on a per-account basis. That would seem to be appropriate here, as well. -- Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |