Getting SPNEGO HTTP headers to a CGI?

Hi all,

trying to get the following setup to work:

Http SPNEGO SPNEGO via CORBA
IE <---------------------> IIS <---> CGI
<--------------------------------> AppServer

So basically using IIS as a primitve frontend for an AppServer that
can do Kerberos Auth itself (via SSPI or GSSAPI). The AppServer may be
on Windows but it may be on some Unix host, shouldn't matter.

Basically i would need to put the HTTP auth headers into the CGI
environment somehow but didn't find any IIS docs about it.

Not sure if this would work:

register an SPN HTTP/somevirtualhost.example.com@EXAMPLE.COM and let
the AppServer use that SPN with its call to SSPI AcquireCredentials()/
InitializeSecurityContext(). Now configure IIS somehow to pass all
Auth headers for http://somevirtualhost.example.com/.* to my CGI that
simply forwards stuff to the AppServer.

I know that its in principle unsafe to pass such info through CGI
environment vars, but for SPNEGO based Kerberos tokens it shouldn't
matter, those are designed for unsafe networks.

So is there a simple way to do this with IIS (handle auth stuff on the
CGI level)?

Michael