Kerberos SSO using node

A good overview of what is involved in kerberos autentication here. I do believe the picture is missing the web server actually authenticating against AD or checking that the ticket is valid somehow.

The authentication mechanism SPNEGO is described in RFC4559. Browsers need to support this and apparently Chrome does.

There seems to be a passport plugin called passport-negotiate that might be useful. There's another one named passport-spnego, but it looks less maintained and it has no README page.

I got on the right track (i.e. found out about SPNEGO) from this article.