You can use your existing Kerberos tickets to authenticate to the web login server, via the Simple and Protected GSS-API Negotiation Mechanism ("SPNEGO") protocol over HTTP. In order for this to work, your browser must support the HTTP Negotiate mechanism, you must have a valid Kerberos ticket for the ATHENA.MIT.EDU realm, and you must configure the browser to enable negotiation with the login server. By default, Firefox and IE are typically configured not to perform negotiation with a server unless it is trusted; Safari on Mac OS X 10.4 requires no additional configuration for the login server.
When you authenticate with a properly configured browser, you will see a ticket for the HTTP service (e.g. "HTTP/foonalagoona.mit.edu@ATHENA.MIT.EDU") in your ticket cache.
Firefox
Firefox must be configured to trust a web server before it will perform negotiation with it, by setting the network.negotiate-auth.trusted-urispreference accordingly; this can be done via the about:config interface. For example, to enable negotiation with our test login server, foonalagoona.mit.edu, set the value to https://foonalagoona.mit.edu (note that for security this value should always be "https...", not "http..."). The value can contain multiple domains, separated by comma. (A domain can also be wild-carded, e.g. https://mit.edu will work for all mit.edu servers, though obviously you would want to consider the wisdom of doing this).
A separate preference, network.negotiate-auth.delegation-uris, controls delegation, i.e. forwarding your TGT to the server.
Internet Explorer
You must add the login server to the "Local intranet security zone"; otherwise, when the login server initiates negotiation, IE will confusingly prompt for a username/password by default, as if basic auth were going to be performed. This is the case even for a WIN.MIT.EDU client machine, because it and the login server are in different domains (realms).
To add the login server to the security zone (tested on IE6):
- Open the Tools -> Internet Options menu
- Click on the Security tab
- Select "Local intranet"
- Click the "Sites..." button
- Click the "Advanced..." button in the "Local intranet" window
- Add the login server URI (e.g. "https://foonalagoona.mit.edu") to the zone
- Click OK
If the login server is not added to the security zone, you can cancel the username/password dialog displayed by IE, and it should proceed to the web login page.