Here is a short summary of the solution: We have ported the knspnego module of aolserver [1] to NaviServer. SPNEGO [2] is an implementation of Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is used in Microsoft's "HTTP Negotiate" authentication extension. SPNEGO was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication.
The implementation of NaviServer (and aolserver) module is based on the Apache module mod_spnego [3] and supports Kerberos. I have just helped porting and compiling the module. Sabine says that it works nice for Single-sign-on for their customers. The NaviServer modules is available from [4]
-gn
[1] http://aolserver.cvs.sourceforge.net/viewvc/aolserver/knspnego/
[2] https://en.wikipedia.org/wiki/SPNEGO
[3] https://sourceforge.net/projects/modspnego/
[4] https://bitbucket.org/naviserver/knspnego
