I needed users within our organization to be able to login to XWiki via HTTP Negotiate. I'm sure this is a requirement for other companies as well.
The easiest way IMHO to do this is to have Apache HTTPD do the heavy lifting with mod_auth_kerb. Implementing Java container/Realm HTTP Negotiate would be considerable more work.
After Apache HTTPD has done the kerberos authentication one would expect to be able to simply use Xwiki's AppServerTrustedAuthServiceImpl as authentication implementation class and be done with it. However in Kerberos the user is authenticated as a principal which looks like this username@REALMNAME.TLD (for example: siepkes@EXAMPLE.COM). The @REALMNAME.TLD part makes it impossible to use AppServerTrustedAuthServiceImpl.
I propose we include a simple class called AppServerTrustedKerberosAuthServiceImpl which chops off the @REALMNAME.TLD part of the principal. This works for me with: MIT-Kerberos, Apache 2 HTTP, mod_auth_kerb, mod_jk and Apache Tomcat 5.5.
Theoretically this class should also work with IIS, mod_jk and Apache Tomcat 5.5, making it possible for Active Directory users to automatically login via SSO. I Haven't tested it, but for as far as I can see this shoud work.