Mike, good work on this very useful extension.
To clarify your proposed solution on the blog post, are you saying the SPN and keypass file need to be generated on the active directory server, as opposed to the keypass being created on the app server?
Also, you mention that setting up a proper Kerberos environment can be complicated. I was under the impression, based on some microsoft documentation (this and this), that Active Directory uses Kerberos out of the box. Do you know of some docs that point to other configurations that must be made to enable this? I haven't found any on MSDN. We have IIS webapps that already use windows integrated authentication and are working, so I'm assuming the Kerberos environment is already set up for us to use and it's just a matter of me following your proposed solution to get windows integration auth working.
btw, I'm interested to hear your take on Joe Khoobyar's suggestion on the blog post about using:
.Microsoft Windows SSPI for native Kerberos/SPNEGO. This forgoes the need for using KTPASS, works seamlessly in complex cross-forest authentication scenarios, and is critical for full single sign-on integration when your organization uses a more "Microsoft centric" Kerberos solution… such as Centrify.