Kerberos authentication on a Mac OS X workstation with Chrome

Kerberos authentication allows your computer to log into certain services automatically without you having to enter (and re-enter) your password (it's a SSO—single sign-on—service). Kerberos v5 is baked into Windows and Internet Explorer and works great with many LDAP-enabled services (for example, Drupal's LDAP module allows includes a submodule for SSO support).

Kerberos is built into Mac OS X as well, but isn't as simple to use and configure with Chrome and FireFox as it is with Explorer on a Windows workstation. You need to do two things before you can use Kerberos for authentication in Chrome/FireFox:

  1. Create a Kerberos ticket with the Ticket Viewer application (/System/Library/CoreServices/Ticket Viewer) or via the command line (kinit [email protected], then enter your password). See this article for more detailed instructions.
  2. Configure Chrome's whitelist to allow authentication against any domains you will be using (along with the domain you used with kinit above). In the Terminal, run the following commands:
    $ defaults write com.google.Chrome AuthServerWhitelist "*.example.com"
    $ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com"

> **2019 Update**: For newer versions of Chrome (~68+), you might need to use the same commands above, but without the double quotes.

In all the above examples, replace 'example.com' with your domain. Also, for the Chrome defaults, you can add multiple domains with commas separating each. The asterisk is a wildcard, so any subdomain would work.

Safari works out of the box if you've created a Kerberos ticket as outlined in step 1; FireFox just needs a couple settings configured on the about:config page.

Comments

Thank you! I've been struggling for a month now to make Chrome work with our Sophos firewall.
No extensions worked. Your method however worked on the first try.

What about Firefox? What are the couple of settings?

Go to about:config and add your [email protected] to network.negotiate-auth.trusted-uris. Field is comma delimited. The user.js file can auto-set these preferences which is under the users' Mozilla profile.

Can you provide an example of the syntax for multiple domains? I can't seem to get it quite right.

The syntax is "*.example.com,*.another.net", so just comma separated. This at least works for me.
Most important part, though, is that you will have to restart Google Chrome after making this change.

Great information! At my company we just adjusted to "does not work with Chrome". But now! Thanks to you! Everything works!

If you are using Chromium you need to use "org.chromium.Chromium" as a key to write to. Not really easy to find.

It seems this may not work anymore on newer version of Chrome? Can anyone else confirm?

I figured it out for newer versions.

Its same commands but without the "quotes"

defaults write com.google.Chrome AuthServerWhitelist *.domain.com
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist *.domain.com

Hi, since Chrome version 101 the two config names have been replaced:
AuthServerWhitelist -> AuthServerAllowlist
AuthNegotiateDelegateWhitelist -> AuthNegotiateDelegateAllowlist

I just tested this and it fixed an issue that I've been struggling with for 2 weeks! Old parameters don't work but new ones work like a charm! Thank you!

so i ran the defaults ( both ) and kinit... when i navigate to a page that needs authentication in safari no problem, but when i try the same path in chrome i get:
java.lang.NullPointerException
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:463)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)

I am trying to delete the allow list but I'm getting Syntax errors.... works for chrome, not for edge.
# defaults delete com.microsoft.Edge AuthServerAllowlist "*domain"
Command line interface to a user's defaults.
Syntax:

'defaults' [-currentHost | -host ] followed by one of the following:

read shows all defaults
read shows defaults for given domain
read shows defaults for given domain, key

read-type shows the type for the given domain, key

write writes domain (overwrites existing)
write writes key for domain

rename renames old_key to new_key

delete deletes domain
delete deletes key in domain

import writes the plist at path to domain
import - writes a plist from stdin to domain
export saves domain as a binary plist to path
export - writes domain as an xml plist to stdout
domains lists all domains
find lists all entries containing word
help print this help

is ( | -app | -globalDomain )
or a path to a file omitting the '.plist' extension

is one of:

-string
-data
-int[eger]
-float
-bool[ean] (true | false | yes | no)
-date
-array ...
-array-add ...
-dict ...
-dict-add ...