Configuring WWW-Negotiate Credentials delegation

A summary of information collected from the malinglist

credentials delegation means your credentials are beeing forwarded to the targethost. The application on this host is now able to authenticate to other servers (POP3 for webmailfrontends, LDAP to edit the corporate directory, RDBMS to do real important business stuff) an act as if is you.

In Kerberos5, for example, that means a TGT ist forwarded to the webserver. This server is able now to get all hostickets needed by the serverapplication.

Warning: This means a delegated credential is out of your control! Delegate credentials only to servers you trust!


  1. ensure that GSSAPI-based authentication does work as described in

  2. set

    KrbSaveCredentials on

    in httpd.conf

  3. Ensure your browser really does GSSAPI credentials delegation, the following list describes how to configure the different webbrowsers:

Thanks to:

Author: Achim Grolms. Feel free to send me corrections and feedback!

last update 2006-12-11