Kerberos authentication allows your computer to log into certain services automatically without you having to enter (and re-enter) your password (it's a SSO—single sign-on—service). Kerberos v5 is baked into Windows and Internet Explorer and works great with many LDAP-enabled services (for example, Drupal's LDAP module allows includes a submodule for SSO support).
Kerberos is built into Mac OS X as well, but isn't as simple to use and configure with Chrome and FireFox as it is with Explorer on a Windows workstation. You need to do two things before you can use Kerberos for authentication in Chrome/FireFox:
- Create a Kerberos ticket with the Ticket Viewer application (/System/Library/CoreServices/Ticket Viewer) or via the command line (
kinit firstname.lastname@example.org, then enter your password). See this article for more detailed instructions.
- Configure Chrome's whitelist to allow authentication against any domains you will be using (along with the domain you used with kinit above). In the Terminal, run the following commands:
$ defaults write com.google.Chrome AuthServerWhitelist “*.example.com”
$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist “*.example.com”
In all the above examples, replace 'example.com' with your domain. Also, for the Chrome defaults, you can add multiple domains with commas separating each. The asterisk is a wildcard, so any subdomain would work.
Safari works out of the box if you've created a Kerberos ticket as outlined in step 1; FireFox just needs a couple settings configured on the