I have a requirement for getting a GSS Credential that will be generated from the Kerberos Server implemented by Windows Active Directory will be used to connect to an IBM host using IBM EIM (Enterprise Identity Mapping). So I have GSS Credential delegation working when the user browser is running on a workstation in the AD domain. I get the GSS Credential from other claims and it works to connect the user to the IBM host My problem is 99.9% of the users workstations will not be members of the AD domain. I can thank my misunderstanding of SPNEGO and GSS Credential delegation for this unfortunate mess. So I'm guessing that I will have to create a new SPI that extends the Kerberos User/Password validation that I already have working. I'm further guessing that I can, when the browser workstation is not in the AD Domain, I can add the credential in other claims Any guidance?