Kerberos authentication on a Mac OS X workstation with Chrome

Kerberos authentication allows your computer to log into certain services automatically without you having to enter (and re-enter) your password (it's a SSO—single sign-on—service). Kerberos v5 is baked into Windows and Internet Explorer and works great with many LDAP-enabled services (for example, Drupal's LDAP module allows includes a submodule for SSO support).

Kerberos is built into Mac OS X as well, but isn't as simple to use and configure with Chrome and FireFox as it is with Explorer on a Windows workstation. You need to do two things before you can use Kerberos for authentication in Chrome/FireFox:

  1. Create a Kerberos ticket with the Ticket Viewer application (/System/Library/CoreServices/Ticket Viewer) or via the command line (kinit username@example.com, then enter your password). See this article for more detailed instructions.
  2. Configure Chrome's whitelist to allow authentication against any domains you will be using (along with the domain you used with kinit above). In the Terminal, run the following commands:
    $ defaults write com.google.Chrome AuthServerWhitelist “*.example.com”
    $ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist “*.example.com”

In all the above examples, replace 'example.com' with your domain. Also, for the Chrome defaults, you can add multiple domains with commas separating each. The asterisk is a wildcard, so any subdomain would work.

Safari works out of the box if you've created a Kerberos ticket as outlined in step 1; FireFox just needs a couple settings configured on the about:config page.

Comments

My reading tells me that Safari doesn't support kerberos ticket forwarding. Any thoughts?

https://discussions.apple.com/message/21104706#24471966

Thank you! I've been struggling for a month now to make Chrome work with our Sophos firewall.
No extensions worked. Your method however worked on the first try.

What about Firefox? What are the couple of settings?

Go to about:config and add your server@domain.com to network.negotiate-auth.trusted-uris. Field is comma delimited. The user.js file can auto-set these preferences which is under the users' Mozilla profile.

Thanks. This was very helpful and got my Chrome auth via Kerberos working.

Can you provide an example of the syntax for multiple domains? I can't seem to get it quite right.