Versions Compared

Old Version 14

changes.mady.by.user Rodrigo Ristow

Saved on

compared with

New Version 15

changes.mady.by.user Rodrigo Ristow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed firefox configuration, replaced the "Linux" with "Advanced" part

 

Configure your browser to authenticate using the "system logon credentials" (Kerberos authentication mechanism):

Anchor
firefox_win
firefox_win

Mozilla Firefox

...

To access the advanced Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.

You need set to add the FQDN (fully qualified domain name) of the IdP Server to into the list of trusted URIs:

  • network.negotiate-auth.trusted-uris - FQDN of the IdP Server.

 

Image Added

 

In the "Login page" can you find the right FQDN:


  Example of configuration when

Firefox

...

Image Removed

...

To access the advanced Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.

...

- Advanced configuration

Attention: These options are for "advanced" users only!

If your OS do not have a GSSAPI integrated (like some Linux distributions). You can specify which external library you desire with:

  • network.negotiate-auth.trusted-uris - FQDN of the IdP Servergsslib - (default: empty) - Specifies a alternate GSSAPI shared library.
  • network.negotiate-auth.gsslib (default:empty) - Specifies a alternate GSSAPI shared library

Image Removed

...

  • using-native-gsslib - Use the default GSSAPI library.

For example:

Image Added

Here are other settings concerning negotiate/authentication:

  • network.negotiate-auth.delegation-uris (default: empty) - For which FQDN credential delegation will be allowed (trusted).
  • network.negotiate-auth.allow-proxies (default: true) - Enables proxy authentication using the negotiate method.
  • network.negotiate-auth.gsslib - you can use kerberos in other plattforms if you specify the "gss library". 
  • network.negotiate-auth.using-native-gsslib - Use the default GSSAPI library.
  • network.auth.use-sspi (only on Windows, default: true) - Whether to use Microsoft's SSPI library, if disabled use GSSAPI

For "advanced" Firefox-usersDEBUG: To start the firefox with more debug information, you can use a script like this:

Code Block

#!/bin/bash
export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/var/log/firefox.log
firefox

Anchor
ie
ie

Internet Explorer

The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.

  • First, open the Internet Options from the Tools menu 

...

  • configure the automatic authentication handling in the browser. Go back to the Security tab and select the

Custom Level.

  • Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.

...

Now the browser should be setup correctly.

Anchor
chrome
chrome

Chrome

To config chrome you need to start the application the following parameter:

  • auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server. Example:
Code Block

chrome --auth-server-whitelist="*aai-logon.domain-a.com"

In the "Login page" can you find the right FQDN:

Anchor
safari
safari

Safari

No additional configuration is needed

Anchor
opera
opera

Opera

Opera does not currently support Kerberos authentication.