Appendix E. Configure Browsers for Spnego Negotiation

Appendix E. Configure Browsers for Spnego Negotiation
Prev	Part IV. Appendices

E.1 Firefox

Complete following steps to ensure that your Firefox browser is enabled to perform Spnego authentication.

Open Firefox.
At address field, type about:config.
In filter/search, type negotiate.
Parameter network.negotiate-auth.trusted-uris may be set to default https:// which doesn’t work for you. Generally speaking this parameter has to replaced with the server address if Kerberos delegation is required.
It is recommended to use https for all communication.

E.2 Chrome

With Google Chrome you generally need to set command-line parameters order to white list servers with Chrome will negotiate.

on Windows machines (clients): Chrome shares the configuration with Internet Explorer so if all changes were applied to IE (as described in E.3), nothing has to be passed via command-line parameters.
on Linux/Mac OS machines (clients): the command-line parameter --auth-negotiate-delegate-whitelist should only used if Kerberos delegation is required (otherwise do not set this parameter).
It is recommended to use https for all communication.

--auth-server-whitelist="*.example.com"
--auth-negotiate-delegate-whitelist="*.example.com"

You can see which policies are enable by typing chrome://policy/ into Chrome’s address bar.

With Linux Chrome will also read policy files from /etc/opt/chrome/policies/managed directory.

mypolicy.json.

{
  "AuthServerWhitelist" : "*.example.org",
  "AuthNegotiateDelegateWhitelist" : "*.example.org",
  "DisableAuthNegotiateCnameLookup" : true,
  "EnableAuthNegotiatePort" : true
}

E.3 Internet Explorer

Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication.

Open Internet Explorer.
Click Tools > Intenet Options > Security tab.
In Local intranet section make sure your server is trusted by i.e. adding it into a list.

Prev	Up
Appendix D. Troubleshooting	Home