How to configure a browser for Kerberos authentication
Intended for:
Single sign-on (SSO) users who want to access an application via the Kerberos authentication option.
Scenario/Use case:
Before you can log in to a Fermilab SSO-enabled application via Kerberos authentication, you will first need to configure your browser for Kerberos authentication by following the steps below.
Instructions:
Edge Top of page
* If you are using a Windows computer in the FERMI domain (this includes the vast majority of Fermilab-owned Windows computers), then no additional configuration is needed.
* Single sign-on (SSO) users on a non-domain, non-Fermilab-owned Windows computer are advised to use their Services username and password to access an SSO-enabled application. If you attempt to use "Onsite Fermi Windows System" or "Kerberos" login options you will be presented with a pop-up window. Do not enter your credentials, click Cancel and you will be redirected to username and password login page.
Safari Top of page
No additional configuration is needed.
Firefox Top of page
1. Open a new tab.
2. Type about:config in the address bar and click I accept the risk!
You will see the configuration parameters editor.
3. Find the parameter network.negotiate-auth.trusted-uris and set the value to fnal.gov.
Chrome Top of page
Windows: Chrome on Windows shares the configuration with Edge.
Mac: Chrome on Mac requires command line arguments on start up. Go to the Chrome directory and start Chrome with the AuthServerWhitelist parameter:
cd /Applications/Google Chrome.app/Contents/MacOS
./"Google Chrome" --auth-server-whitelist="*.fnal.gov" --auth-negotiate-delegate-whitelist="*.fnal.gov"
Linux: Chrome on Linux requires command line arguments on start up:
/usr/bin/google-chrome-stable %U --auth-server-whitelist="*.fnal.gov" --auth-negotiate-delegate-whitelist="*.fnal.gov"
See Also:
How to choose an authentication option on the Fermilab single sign-on (SSO) page