Appendix E. Configure Browsers for Spnego Negotiation

E.1 Firefox

Complete following steps to ensure that your Firefox browser is enabled to perform Spnego authentication.

  • Open Firefox.
  • At address field, type about:config.
  • In filter/search, type negotiate.
  • Parameter network.negotiate-auth.trusted-uris may be set to default https:// which doesn’t work for you. Generally speaking this parameter has to replaced with the server address if Kerberos delegation is required.
  • It is recommended to use https for all communication.

E.2 Chrome

With Google Chrome you generally need to set command-line parameters order to white list servers with Chrome will negotiate.

  • on Windows machines (clients): Chrome shares the configuration with Internet Explorer so if all changes were applied to IE (as described in E.3), nothing has to be passed via command-line parameters.
  • on Linux/Mac OS machines (clients): the command-line parameter --auth-negotiate-delegate-whitelist should only used if Kerberos delegation is required (otherwise do not set this parameter).
  • It is recommended to use https for all communication.
--auth-server-whitelist="*.example.com"
--auth-negotiate-delegate-whitelist="*.example.com"

You can see which policies are enable by typing chrome://policy/ into Chrome’s address bar.

With Linux Chrome will also read policy files from /etc/opt/chrome/policies/managed directory.

mypolicy.json. 

{
  "AuthServerWhitelist" : "*.example.org",
  "AuthNegotiateDelegateWhitelist" : "*.example.org",
  "DisableAuthNegotiateCnameLookup" : true,
  "EnableAuthNegotiatePort" : true
}

E.3 Internet Explorer

Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication.

  • Open Internet Explorer.
  • Click Tools > Intenet Options > Security tab.
  • In Local intranet section make sure your server is trusted by i.e. adding it into a list.