Cosign v2.1.0 introduced support for 'Negotiate' authentication - essentially this allows a kerberos ticket from the desktop session to be passed through the web browser to authenticate against a web server.
Practical use of Negotiate with CoSign is tricky because of inconsistencies in browser behaviour, and because of the wide variety of environments that CoSign needs to support.
Simon Wilkinson described a technique for testing for Negotiate support in browsers. The technique for testing for Negotiate support is to send a background request (using XMLHttpRequest) for a page that requires Negotiate for it to be accessible.
This technique is impractical on some browsers (MSIE, Safari, Chrome) because the background request falls back to Basic Auth, which pops up a dialogue to request credentials. Simon's solution to this seems to be to exclude these browsers from using Negotiate at all, which seems a bit heavy-handed to me.
The solution that I've stumbled across is a tiny variation - sending a username and (blank) password seems to be sufficient to suppress the Basic Auth dialogue. This seems to make sense - the dialogue came up because the browser was trying to access a resource, and the server asked it for credentials, and it didn't have any. We're supplying credentials now, so it can fail without having to ask the user first.