--- wikisrc/kerberos/web_browser.mdwn	2009/11/05 01:31:01	1.4
+++ wikisrc/kerberos/web_browser.mdwn	2010/10/27 00:22:51	1.7
@@ -5,8 +5,9 @@ First, Kerberize your [[system]]. Then:
 7. Open Firefox.
 7. Go to [about:config](about:config).
 7. Filter for `network.negotiate-auth`.
-7. Set `network.negotiate-auth.trusted-uris` and
-`network.negotiate-auth.delegation-uris` to `netbsd.org`.
+7. Set `network.negotiate-auth.trusted-uris` (_not_
+`network.negotiate-auth.delegation-uris`) to `netbsd.org`.
+7. **(Windows only)** Filter for `use-sspi`, then set `network.auth.use-sspi` to `false`.
 """]]
 
 #### [[!toggle id="konqueror" text="Konqueror"]]
@@ -20,10 +21,17 @@ Possibly the same as [[!toggle id="safar
 7. There is no Step 2.
 """]]
 
+#### [[!toggle id="chrome" text="Google Chrome"]]
+[[!toggleable id="chrome" text="""
+[Chromium docs](http://sites.google.com/a/chromium.org/dev/developers/design-documents/http-authentication)
+"""]]
+
 #### [[!toggle id="ie" text="Internet Explorer"]]
 [[!toggleable id="ie" text="""
 Internet Explorer can use Microsoft's built-in Kerberos. Anyone know how? Some possibly relevant links:
 
+> Sadly, it seems MS IE can only use tickets cached inside LSA (Local Security Authority), and this cache is only created upon logon through winlogon service. Which means that a `host/<windows_machine>` principal would be needed for each Windows client that wants to cache a TGT. This is only suitable for Intranet-like networks. Maybe there is another way to manage the LSA after login, similar to [[!template id=man name=kinit section=1]]... --[[jym]]
+
 * <http://rc.quest.com/topics/mod_auth_vas/howto.php#iexplore>
 * <http://support.microsoft.com/kb/299838>
 * <http://technet.microsoft.com/en-us/library/cc779070(WS.10).aspx>