Mod_auth_kerb also supports the Negotiate authentication method, which performs full Kerberos authentication based on certificate exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the Negotiateauth extension).

Negotiateauth is a plugin for Mozilla-based browsers supporting the HTTP Negotiate authentication method. This adds support for the Kerberos mechanism and uses Kerberos certificates for authentication instead of passwords so the users' Kerberos passwords will no longer be transfered to the web server.

Mod_auth_kerb supports both kerberos4 and kerberos5 protocols for password verification. The Negotiate mechanism can be only used with Kerberos v5. It supports both 1.x and 2.x versions of Apache.

If you are using the Basic Auth mechanism, the module does not do any special encryption of any sort. The passing of the username and password is done with the same Base64 encoding that Basic Auth uses. This can easily be converted to plain text. It is recommended that mod_ssl or Apache-SSL be used. The use of SSL encryption is also recommended if you are using the Negotiate method.