Our webmail (squirrelmail) is doing kerberos authentication. We gutted the authentication part of squirrelmail and instead launch a persistant imtest process, which squirrelmail connects to instead (this was relatively easy to do, actually -- most of the changes that were required were in imtest). This also has the benefit of caching authentications (like a proxy), since successive page hits just re-use the same imtest process.
I'd like to be able to do the same sort of thing; any chance these changes are distributable (no support, i'm sure they're ugly, etc. etc.)?
The trick is that you need to get the user's kerberos ticket to the web server, which we accomplish via a system known as pubcookie, which has been developed by a few universities. Its sort of like kerberos-via-cookies, though the kerberos ticket passing bit is somewhat disconnected from the main system.
This was the stumbling block in my mental exercises to get this working. I'd never heard of pubcookie before :-)
