0

How to Configure Kerberos Authentication in Edge, Chrome, and Firefox (version 25)

Knowledge Base / Version 25 / System Admin Duties / Identity

If wishing to enable Kerberos within the Identity service, the following configuration changes may be needed depending on the browser you are using.

Edge

  1. Install the Edge administrative template .
  2. Add the hostname of the Identity service to the Http authentication -> AuthServerAllowlist policy. Docs

Chrome

  1. Install the Chrome administrative template .
  2. Add the hostname of the Identity service to the Http authentication -> AuthServerAllowList policy. Docs

Firefox

  1. Install the Firefox administrative template .
  2. Add the hostname of the Identity service to the Authentication -> SPNEGO policy. Docs

Load Balancer

When the Identity service is behind a load balancer or reverse proxy (including the Axiom reverse proxy which was introduced in v25.0), the Identity service will need to be running as a domain account, and an SPN must be created. The SPN should have the hostname of the load balancer/proxy, and should be placed on the service account which is running the Identity service. For example:

setspn -S HTTP/load-balancer.example.com domain\ServiceAccount

Reply

null
Login to reply

Content aside

print this pagePrint this page
Related Articles
How to Change the Identity REST API Port (version 25)
Kerberos Authentication Limitation (version 25)
How to Configure Kerberos Authentication in Edge, Chrome, and Firefox (version 25)
Identity Architectures (version 25)
How to Create an API Token (version 25)
How to Add an OpenID Connect Identity Provider (version 25)
Identity Tile (version 25)
Identity Overview (version 25)
Tag Security (version 25)