I have a requirement for getting a GSS Credential that will be generated from the Kerberos
Server implemented by Windows Active Directory will be used to connect to an IBM host
using IBM EIM (Enterprise Identity Mapping).
So I have GSS Credential delegation working when the user browser is running on a
workstation in the AD domain.
I get the GSS Credential from other claims and it works to connect the user to the IBM
My problem is 99.9% of the users workstations will not be members of the AD domain.
I can thank my misunderstanding of SPNEGO and GSS Credential delegation for this
So I'm guessing that I will have to create a new SPI that extends the Kerberos
User/Password validation that I already have working.
I'm further guessing that I can, when the browser workstation is not in the AD Domain,
I can add the credential in other claims