How to configure a browser for Kerberos authentication
Single sign-on (SSO) users who want to access an application via the Kerberos authentication option.
Before you can log in to a Fermilab SSO-enabled application via Kerberos authentication, you will first need to configure your browser for Kerberos authentication by following the steps below.
Internet Explorer Top of page
* If you are using a Windows computer in the FERMI domain (this includes the vast majority of Fermilab-owned Windows computers), then no additional configuration is needed.
* Single sign-on (SSO) users on a non-domain, non-Fermilab-owned Windows computer are advised to use their Fermilab CILogon Silver CA certificate or Services username and password to access an SSO-enabled application. If you attempt to use "Onsite Fermi Windows System" or "Kerberos" login options you will be presented with a pop-up window. Do not enter your credentials, click Cancel and you will be redirected to username and password login page.
Edge Top of page
Edge shares configuration with Internet Explorer.
Safari Top of page
No additional configuration is needed.
Firefox Top of page
1. Open a new tab.
2. Type about:config in the address bar and click I accept the risk!
You will see the configuration parameters editor.
3. Find the parameter network.negotiate-auth.trusted-uris and set the value to fnal.gov.
Chrome Top of page
Windows: Chrome on Windows shares the configuration with Internet Explorer and Edge.
Mac: Chrome on Mac requires command line arguments on start up. Go to the Chrome directory and start Chrome with the AuthServerWhitelist parameter:
cd /Applications/Google Chrome.app/Contents/MacOS
./"Google Chrome" --auth-server-whitelist="*.fnal.gov" --auth-negotiate-delegate-whitelist="*.fnal.gov"
Linux: Chrome on Linux requires command line arguments on start up:
/usr/bin/google-chrome-stable %U --auth-server-whitelist="*.fnal.gov" --auth-negotiate-delegate-whitelist="*.fnal.gov"