Client (browser) configuration

As you know, the Kerberos authentication protocol supports the concept of Single Sign-On (SSO). After being authenticated at the first start of a session, users can access network services through a Kerberos realm without re-authentication. To make this work, you need to use network protocols that are aware of Kerberos. In the case of HTTP, Kerberos is normally provided by the SPNEGO authentication mechanism - also known as "negotiate authentication". The below steps are different among browsers, so consult the relevant documentation of your OS or web browser. In this section, only 2 most popular browsers, including Firefox and Internet Explorer, are covered.


Although SPNEGO is supported in Firefox, but it is disabled by default for some security reasons. Supposing that you want to authenticate the http://server.example.com website using Kerberos, the web server should be configured to accept the Kerberos tickets from the EXAMPLE.COM realm that you created earlier.

To do this, you need to enable the Negotiate authentication of Firefox in client machines so that clients could be authenticated by eXo Platform as follows:

  1. Start Firefox, then enter about:config in the location bar.

  2. Click the I'll be careful, I promise! link to access the configurations.

  3. Enter network.negotiate-auth on the search bar to filter the relevant settings from the list:

  4. Double-click the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. A dialog box for editing the values should appear.

  5. Enter the required hostname, then click OK. You may need to restart Firefox for these changes to take effect.

    network.negotiate-auth.allow-proxies = true
    network.negotiate-auth.delegation-uris = .example.com
    network.negotiate-auth.gsslib (no-value)
    network.negotiate-auth.trusted-uris = .example.com
    network.negotiate-auth.using-native-gsslib = true

Internet Explorer

Internet Explorer will only perform SPNEGO authentication against sites that are set in the Local Intranet zone. Thus, you need to add the site (http://server.example.com in this example) to this zone as follows:

  1. Open IE, then click Tools tabInternet Options. If you are using Windows Vista or Windows 7, you can click Start and type Internet Options.

  2. Select Security tabLocal intranetSitesAdvanced.

  3. Enter the fully qualified domain name of the application server into the text field, then click Add.

  4. Click Close, then OK through the various windows. You may need to restart Internet Explorer for the changes to take effect.

Now, you can move to the next section for testing.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus