0

How to Configure Kerberos Authentication in Edge, Chrome, and Firefox (version 25)

If wishing to enable Kerberos within the Identity service, the following configuration changes may be needed depending on the browser you are using.

Edge

  1. Install the Edge administrative template .
  2. Add the hostname of the Identity service to the Http authentication -> AuthServerAllowlist policy. Docs

Chrome

  1. Install the Chrome administrative template .
  2. Add the hostname of the Identity service to the Http authentication -> AuthServerAllowList policy. Docs

Firefox

  1. Install the Firefox administrative template .
  2. Add the hostname of the Identity service to the Authentication -> SPNEGO policy. Docs

Load Balancer

When the Identity service is behind a load balancer or reverse proxy (including the Axiom reverse proxy which was introduced in v25.0), the Identity service will need to be running as a domain account, and an SPN must be created. The SPN should have the hostname of the load balancer/proxy, and should be placed on the service account which is running the Identity service. For example:

setspn -S HTTP/load-balancer.example.com domain\ServiceAccount

Reply

null