Another way to avoid hand-coded SPNEGO here would be to use SSPI for SPNEGO. That could negotiate Kerberos or NTLM, but I do believe there's a way to tell it to only negotiate Kerberos -- I'm not terribly familiar with the details, but I'm pretty sure that Martin Rex's GSS->SSPI shim handles this. Nico --