Kerberos authentication on a Mac OS X workstation with Chrome

Kerberos authentication allows your computer to log into certain services automatically without you having to enter (and re-enter) your password (it's a SSO—single sign-on—service). Kerberos v5 is baked into Windows and Internet Explorer and works great with many LDAP-enabled services (for example, Drupal's LDAP module allows includes a submodule for SSO support).

Kerberos is built into Mac OS X as well, but isn't as simple to use and configure with Chrome and FireFox as it is with Explorer on a Windows workstation. You need to do two things before you can use Kerberos for authentication in Chrome/FireFox:

  1. Create a Kerberos ticket with the Ticket Viewer application (/System/Library/CoreServices/Ticket Viewer) or via the command line (kinit, then enter your password). See this article for more detailed instructions.
  2. Configure Chrome's whitelist to allow authentication against any domains you will be using (along with the domain you used with kinit above). In the Terminal, run the following commands:
    $ defaults write AuthServerWhitelist “*”
    $ defaults write AuthNegotiateDelegateWhitelist “*”

In all the above examples, replace '' with your domain. Also, for the Chrome defaults, you can add multiple domains with commas separating each. The asterisk is a wildcard, so any subdomain would work.

Safari works out of the box if you've created a Kerberos ticket as outlined in step 1; FireFox just needs a couple settings configured on the about:config page.


My reading tells me that Safari doesn't support kerberos ticket forwarding. Any thoughts?

Thank you! I've been struggling for a month now to make Chrome work with our Sophos firewall.
No extensions worked. Your method however worked on the first try.

What about Firefox? What are the couple of settings?

Go to about:config and add your to network.negotiate-auth.trusted-uris. Field is comma delimited. The user.js file can auto-set these preferences which is under the users' Mozilla profile.

Thanks. This was very helpful and got my Chrome auth via Kerberos working.

Can you provide an example of the syntax for multiple domains? I can't seem to get it quite right.

The syntax is "*,*", so just comma separated. This at least works for me.
Most important part, though, is that you will have to restart Google Chrome after making this change.

Great information! At my company we just adjusted to "does not work with Chrome". But now! Thanks to you! Everything works!

If you are using Chromium you need to use "org.chromium.Chromium" as a key to write to. Not really easy to find.