Subject: | SPNEGO clients should not try IAKERB by default |
We implemented IAKERB in 1.9. SPNEGO automatically tries all mechanisms
except for SPNEGO itself, so it tries IAKERB after regular krb5. In
practice, this is rarely useful and often serves to complicate scenarios
which would otherwise be simple. For instance, if the user has credentials
but we cannot get a service ticket for the target host, we try IAKERB
instead of failing locally; most of the time this is unnecessary work and
obscures the resulting error message.
except for SPNEGO itself, so it tries IAKERB after regular krb5. In
practice, this is rarely useful and often serves to complicate scenarios
which would otherwise be simple. For instance, if the user has credentials
but we cannot get a service ticket for the target host, we try IAKERB
instead of failing locally; most of the time this is unnecessary work and
obscures the resulting error message.