background preloader

Chrome GSSAPI / SPNEGO

Facebook Twitter

Chrome and SPNEGO « about:nothing. Update: The landscape on OS X has changed since this post was written. Hugh Cole Baker provided in a comment an excellent mechanism for setting self-managed policy on OS X which beats my clunky wrapper; Lion’s Kerberos support has changed in a way which prevents SPNEGO working for our Cosign servers (though a fix at our end is planned); Chrome on Linux gained a proper managed configuration, which we use locally (I produced the lcfg-chrome component for this purpose).

I was most impressed by the efficient conclusion to the enhancement request for SPNEGO on Chrome, but having read that the request had been met, I struggled for far too long to discover how to activate it. Irritated by Firefox 4 beta 7’s breakage of SPNEGO on the Mac*, but reluctant to revert 3.6, I felt it was time to reinvestigate the alleged Chrome support (note, you can restore SPNEGO to beta 7 by selecting “Open in 32-bit mode” from the application’s Finder properties).

Limitations. Configure Chromium to authenticate using SPNEGO and Kerberos. Objective To configure Chromium (or Google Chrome) to authenticate using SPNEGO and Kerberos Background Kerberos is an authentication protocol that supports the concept of Single Sign-On (SSO). Having authenticated once at the start of a session, users can access network services throughout a Kerberos realm without authenticating again.

For this to work it is necessary to use network protocols that are Kerberos-aware. In the case of HTTP, support for Kerberos is normally provided by the SPNEGO authentication mechanism (Simple and Protected GSS-API Negotiation), also known as ‘integrated authentication’ or ‘negotiate authentication’. Chromium supports SPNEGO, but it is disabled by default for security reasons. Scenario Suppose you wish to authenticate to the web site using Kerberos.

Method To enable SPNEGO, the URL in question must be whitelisted using the --auth-server-whitelist option when Chromium is started. Chromium-browser --auth-server-whitelist="www.example.com" Configure Chromium to authenticate using SPNEGO and Kerberos. Why does Negotiate/SPNEGO/GSSAPI/Kerberos not work with the Chrome Browser on Windows [or Mac]? Possible? HTTP authentication. Issue 33033 - chromium - Add GSSAPI support to Linux and OSX for Negotiate - An open-source project to help move the web forward.