We've been busy here working on a Kerberos solution for our "Web Booster Enterprise Single Sign On" product. This is a very specialised addon for Web Booster that allows a user to simply point their browser at Web Booster and be automatically authenticated to a Domino or WebSphere server using Ltpa tokens. The core product (using NTLM authentication and WebSphere style Ltpa tokens) has been in the making for many months, due ot the lack of documentation on the Ltpa format from IBM. As is always the case, just when you think you;re done a customer comes along and asks for a variation upon the theme - in this case using Kerberos instead of NTLM.
NTLM (NT Lan Manager) is the pre-Win2K way for clients to authenticate (automagically) with Windows NT servers. It works on a challenge response basis with a final hash supplied by the client being checked against a Windows Domain Controller. NTLM works quite well, although performance could be better (due to the number of challenges/responses and verification against the DC). Kerberos on the other hand is much faster, more secure and is not neccessarily tied to the Win2K platform (although I would estimate almost all customers would use it that way).
As is always the way, the path to glory has not been an easy one. It turns out that Windows uses SPNEGO token which are "wrapped" Kerberos tokens. Fortunately jcifs-ext came to the rescue and once we had set up the test environment correctly and worked out how the API could be ported to Booster, we were away. Now we're just crossing the t's and dotting the i's :-). Customers who have already purchsed the NTLM version will get a free upgrade to the NTLM and Kerberos version.
We've also been thinking about bundling a Tornado web application with Web Booster to enable the configuration and management of it through a web browser interface. We will investigate this over the next few months.