Enabling Kerberos in Firefox for all users
Table of Contents
Users can enable Kerberos single sign-on (SSO) authentication using preference in their browser profile but it's also possible to set the default for all Firefox users on the system.
User settings in about:config
Firefox users may change the preferences of their profiles using→ , which in latest Firefox versions actually leads to about:preferences page. However, preferences related to the Negotiate HTTP authentication which is the mechanism used for GSS-API and Kerberos authentication are not here but in about:config page which lists all options in tabular form.
The option we are looking for is
Users can set it to contain comma-separated list of domains
or URL prefixes for which the Negotiate HTTP authentication
should be attempted.
1: Modifying trusted-uris value
2: The trusted-uris was set by user
For Kerberos it means that when accessing site matching
the domain or URL and if the request is met with HTTP status
401 Unauthorized and HTTP response header
WWW-Authenticate: Negotiate, the browser will
check the Kerberos ticket cache and if it finds ticket-granting
ticket for realm corresponding to the domain (check
/etc/krb5.conf), it will attempt to get service
HTTP/ service. It then retries the
request with the GSS-API data containing the service ticket,
which the server verifies and authenticates the user. Or in
simpler terms, the browser will use Kerberos authentication
against servers that support it and that match the domain
or URL prefix in the
network.negotiate-auth.trusted-uris list, for example www.example.com.
Changing the defaults
When Firefox is started, it reads global preferences files from
/usr/lib64/firefox/browser/defaults/preferences/ directory (on 32-bit systems, use
/usr/lib/...). To change the default for all users that will
run Firefox on that system, run
# echo 'pref("network.negotiate-auth.trusted-uris", ".example.com");' > /usr/lib64/firefox/browser/defaults/preferences/kerberos.jsor use some other mechanism to put line
pref("network.negotiate-auth.trusted-uris", ".example.com");in some
.jsfile in that directory. Configuration management will work and so will distributing that file packaged in rpm — check a
.specfile which can be used to build configuration rpm for your organization.
3: Modified default value
Note that the value
.example.com is now
marked as default. The user can still modify the value in their
profile, to perhaps add additional domains, but if they
the value (right click on
the line brings the menu), it will revert to this default
Configuring with ipa-client-install
In setups when the machine is being IPA-enrolled using
ipa-client-install, it is possible to let
it also configure the Firefox defaults using the mechanism described
above. The option is called
and typical process would be:
Create the host record on IPA server, generate one-time password:
ipa$ ipa host-add --random client1.example.com -------------------------------- Added host "client1.example.com" -------------------------------- Host name: client1.example.com Random password: A5dGy0WlXK5E Password: True Keytab: False Managed by: client1.example.com
On the machine which is being enrolled, use that
one-time password plus the option to configure Firefox:
client1# ipa-client-install -w A5dGy0WlXK5E --configure-firefox -U [...] Firefox sucessfully configured. [...] Client configuration complete.
In Firefox default preference directory, file
all-ipa.js will be created with the
IPA domain configured as the trusted URI:
/* Kerberos SSO configuration */ pref("network.negotiate-auth.trusted-uris", ".example.com");There are also additional
network.negotiate-auth.*value configured in that file but they just repeat the defaults that are already there on latest Firefox versions.