This site requires JavaScript to be enabled

How to configure a browser for Kerberos authentication

641 views

4.0 - Updated on 2022-02-14 by Marcia Teckenbrock

3.0 - Updated on 2021-02-22 by Carlos Salazar (Inactive)

2.0 - Updated on 2020-11-12 by Marcia Teckenbrock

1.0 - Authored on 2018-08-22 by Olga Terlyga (Inactive)

How to configure a browser for Kerberos authentication


Intended for:

Single sign-on (SSO) users who want to access an application via the Kerberos authentication option.



Scenario/Use case:

Before you can log in to a Fermilab SSO-enabled application via Kerberos authentication, you will first need to configure your browser for Kerberos authentication by following the steps below.



Instructions:

Internet Explorer

Edge 

Safari 

Firefox 

Chrome


Internet Explorer Top of page

* If you are using a Windows computer in the FERMI domain (this includes the vast majority of Fermilab-owned Windows computers), then no additional configuration is needed

* Single sign-on (SSO) users on a non-domain, non-Fermilab-owned Windows computer are advised to use their Fermilab CILogon Silver CA certificate or Services username and password to access an SSO-enabled application. If you attempt to use "Onsite Fermi Windows System" or "Kerberos" login options you will be presented with a pop-up window. Do not enter your credentials, click Cancel and you will be redirected to username and password login page. 


Edge  Top of page

    Edge shares configuration with Internet Explorer.



Safari  Top of page

    No additional configuration is needed.

  


Firefox  Top of page


1. Open a new tab.


2. Type about:config in the address bar and click I accept the risk!



 You will see the configuration parameters editor.



3. Find the parameter network.negotiate-auth.trusted-uris and set the value to fnal.gov.



Chrome  Top of page

Windows: Chrome on Windows shares the configuration with Internet Explorer and Edge.

Mac: Chrome on Mac requires command line arguments on start up. Go to the Chrome directory and start Chrome with the AuthServerWhitelist parameter:

       cd /Applications/Google Chrome.app/Contents/MacOS

        ./"Google Chrome" --auth-server-whitelist="*.fnal.gov"  --auth-negotiate-delegate-whitelist="*.fnal.gov"

Linux: Chrome on Linux requires command line arguments on start up:

        /usr/bin/google-chrome-stable %U --auth-server-whitelist="*.fnal.gov" --auth-negotiate-delegate-whitelist="*.fnal.gov"



See Also:

How to choose an authentication option on the Fermilab single sign-on (SSO) page

Using Kerberized tickets