Chapter 13. Configuring Applications for Single Sign-On

Some common applications, such as browsers and email clients, can be configured to use Kerberos tickets, SSL certifications, or tokens as a means of authenticating users.
The precise procedures to configure any application depend on that application itself. The examples in this chapter (Mozilla Thunderbird and Mozilla Firefox) are intended to give you an idea of how to configure a user application to use Kerberos or other credentials.

13.1. Configuring Firefox to Use Kerberos for Single Sign-On

Firefox can use Kerberos for single sign-on (SSO) to intranet sites and other protected websites. For Firefox to use Kerberos, it first has to be configured to send Kerberos credentials to the appropriate KDC.
Even after Firefox is configured to pass Kerberos credentials, it still requires a valid Kerberos ticket to use. To generate a Kerberos ticket, use the kinit command and supply the user password for the user on the KDC.
[jsmith@host ~] $ kinit
Password for jsmith@EXAMPLE.COM:
To configure Firefox to use Kerberos for SSO:
  1. In the address bar of Firefox, type about:config to display the list of current configuration options.
  2. In the Filter field, type negotiate to restrict the list of options.
  3. Double-click the network.negotiate-auth.trusted-uris entry.
  4. Enter the name of the domain against which to authenticate, including the preceding period (.). If you want to add multiple domains, enter them in a comma-separated list.
    Manual Firefox Configuration

    Figure 13.1. Manual Firefox Configuration


It is not recommended to configure delegation using the network.negotiate-auth.delegation-uris entry in the Firefox configuration options because this enables every Kerberos-aware server to act as the user.


For information about configuring Firefox to use Kerberos in Identity Management, see the corresponding section in the Linux Domain Identity, Authentication, and Policy Guide.