March 18, 2019

Google Chrome Kerberos Authentication

Kerberos is a network authentication protocol that supports Single Sign-On (SSO). For HTTP requests, support for Kerberos is provided by the SPNEGO authentication mechanism (Simple and Protected GSS-API Negotiation), also known as integration authentication or negotiate authentication. Chromium supports SPNEGO but it is disabled by default for security reasons.


Cunningham’s Law: “the best way to get the right answer on the internet is not to ask a question; it’s to post the wrong answer”.

Disclaimer: Please post a comment if I am wrong on anything


If you are in an environment that uses Kerberos authentication and you are already authenticated. You can use your Kerberos ticket to authenticate against HTTP based services by way of GSS-API.

To enable SPNEGO for Azure Active Directory Seamless Single Sign-On, Azure AD must be whitelisted using --auth-server-whitelist flag when Chromium is started. In addition, since Azure AD is a trusted domain, we need to use --auth-negotiate-delegate-whitelist flag to allow Kerberos delegation, so Chromium is allowed to negotiate with Azure AD on your behalf when you are already authenticated.

This is how you would launch Google Chrome with GSS-API authentication pass-through enabled:

AZURE_AD_SSO=autologon.microsoftazuread-sso.com

/usr/bin/chromium-browser --auth-server-whitelist=${AZURE_AD_SSO} \
                          --auth-negotiate-delegate-whitelist=${AZURE_AD_SSO}

References:

© Mike Hosseini 2019