This site requires JavaScript to be enabled
An updated version of this article is available


4.0 - Updated on 2022-02-14 by Marcia Teckenbrock

3.0 - Updated on 2021-02-22 by Carlos Salazar

2.0 - Updated on 2020-11-12 by Marcia Teckenbrock

1.0 - Authored on 2018-08-22 by Olga Terlyga

Intended for: Single sign-on (SSO) users who want to access an application via the Kerberos authentication option


Scenario/Use case:

Before you can log in to a Fermilab SSO-enabled application via Kerberos authentication, you will first need to configure your browser for Kerberos authentication by following the steps below.


Internet Explorer






Internet Explorer Top of page

* If you are using a Windows computer in the FERMI domain (this includes the vast majority of Fermilab-owned Windows computers), then no additional configuration is needed

* Single sign-on (SSO) users on a non-domain, non-Fermilab-owned Windows computer are advised to use their Fermilab CILogon Basic CA certificate, Fermilab CILogon Silver CA certificate, or Services username and password to access an SSO-enabled application. If you attempt to use "On Site Fermi Windows System" or "Kerberos" login options you will be presented with a pop-up window. Do not enter your credentials, click cancel and you will be redirected to username and password login page. 



Edge  Top of page

    Edge shares configuration with Internet Explorer



Safari  Top of page

    No additional configuration is needed.



Firefox  Top of page


1. Open a new tab.



2. Type about:config in the address bar and click I accept the risk!


 You will see the configuration parameters editor.



3. Find the parameter network.negotiate-auth.trusted-uris and set the value to 




Chrome  Top of page

Windows: Chrome on Windows shares the configuration with Internet Explorer and Edge

Mac: Chrome on Mac requires command line arguments on start up. Go to the Chrome directory and start Chrome with the AuthServerWhitelist parameter

       cd /Applications/Google

        ./"Google Chrome" --auth-server-whitelist="*"  --auth-negotiate-delegate-whitelist="*"

Linux: Chrome on Linux requires command line arguments on start up

        /usr/bin/google-chrome-stable %U --auth-server-whitelist="*" --auth-negotiate-delegate-whitelist="*"







See Also:

How to choose an authentication option on the Fermilab single sign-on (SSO) page