Firefox Kerberos and Active Directory SSO

Posted by on 2011/05/26 Leave a comment (0) Go to comments

At my company there are several internal Windows web servers using AD and Kerberos single sign on. That means, on a Windows computer with Internet Explorer, I dont need to authenticate to access those web servers. Using Firefox, I have to give username and password to each and every site. This article tells how I made single sign on work with firefox.

Ubuntu (Natty) client with Firefox 4
First, Kerberos needs to be installed, which obviously was not default in Ubuntu Natty. When running kinit I got the following:

$ kinit
No command 'kniit' found, did you mean:
 Command 'kinit' from package 'heimdal-clients' (universe)
 Command 'kinit' from package 'krb5-user' (main)

I guessed correctly and installed krb5-user:

$ sudo apt-get install krb5-user

That installation asked me for my realm (or something), and I gave the internal DNS domain name, which is on the form:

ad.mycompany.intra

The servers I want to access are called things like:

http://intranet.ad.mycompany.intra
http://server321.ad.mycompany.intra
http://portal.ad.mycompany.intra

This realm was then stored in the kerberos configuration file:

# /etc/krb5.conf
[libdefaults]
        default_realm = AD.MYCOMPANY.INTRA

Now running kinit asked me for my password, I authenticated successfully. My username on my Ubuntu client happened to be the same as my username in Active Directory:

zo0ok@zo0ok-workstation:~$ kinit
Password for zo0ok@AD.MYCOMPANY:INTRA: 
zo0ok@zo0ok-workstation:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: zo0ok@AD.MYCOMPANY.INTRA

Valid starting     Expires            Service principal
05/26/11 13:10:39  05/26/11 23:11:09  krbtgt/AD.MYCOMPANY.INTRA@AD.MYCOMPANY.INTRA
	renew until 05/27/11 13:10:39
zo0ok@zo0ok-workstation:~$ kdestroy
zo0ok@zo0ok-workstation:~$

Above example authenticates, lists my tickets and destroys them.

Now it is time for Firefox configuration. In the URL-field, type about:config. You may get a warning about dangerous things and voiding warranty. Proceed and you get to a page with very many configurations. We want to set:

network.negotiate-auth.trusted-uris = .ad.mycompany.intra

I have been told the . before ad is important. Not sure. It should also be possible to include more servers/domains using , between them. I dont know exactly how flexible the field is, but the above setting works for me.

Now, I can single sign on to internal webpages using Firefox on Linux! Note that I have to authenticate using the “kinit” command. It does not work to authenticate to one site in Firefox, and hope to get SSO to all the others.

Linux

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.