Chapter 13. Configuring Applications for Single Sign-On
Some common applications, such as browsers and email clients, can be configured to use Kerberos tickets, SSL certifications, or tokens as a means of authenticating users.
The precise procedures to configure any application depend on that application itself. The examples in this chapter (Mozilla Thunderbird and Mozilla Firefox) are intended to give you an idea of how to configure a user application to use Kerberos or other credentials.
13.1. Configuring Firefox to Use Kerberos for Single Sign-On
Firefox can use Kerberos for single sign-on (SSO) to intranet sites and other protected websites. For Firefox to use Kerberos, it first has to be configured to send Kerberos credentials to the appropriate KDC.
Even after Firefox is configured to pass Kerberos credentials, it still requires a valid Kerberos ticket to use. To generate a Kerberos ticket, use the
kinitcommand and supply the user password for the user on the KDC.
[jsmith@host ~] $ kinit Password for jsmith@EXAMPLE.COM:
To configure Firefox to use Kerberos for SSO:
- In the address bar of Firefox, type
about:configto display the list of current configuration options.
- In the Filter field, type
negotiateto restrict the list of options.
- Double-click the network.negotiate-auth.trusted-uris entry.
- Enter the name of the domain against which to authenticate, including the preceding period (.). If you want to add multiple domains, enter them in a comma-separated list.
Figure 13.1. Manual Firefox Configuration
It is not recommended to configure delegation using the network.negotiate-auth.delegation-uris entry in the Firefox configuration options because this enables every Kerberos-aware server to act as the user.
For more information, see Configuring the Browser for Kerberos Authentication in the Linux Domain Identity, Authentication, and Policy Guide..