Jul 23

If you are setting up a kerberos user in active directory then you will need to do the following on one of the kerberos domain controllers:

Setspn -A HTTP/site kerbuser

for example if I had a website called support.acme.com and an active directory user called john.smith:

setspn -A HTTP/support.acme.com john.smith

Then after that I would run the following command:

ktpass -princ HTTP/site@KERBEROS_DOMAIN(ALL CAPS) -pass password -mapuser user@enviornment -out c:\temp\user.HTTP.keytab

for example:

ktpass -princ HTTP/support.acme.com@ACME.COM -pass password -mapuser john.smith@acme.com -out c:\temp\john.smith.HTTP.keytab

Once everything is setup, in order to login to the website using kerberos credentials through firefox or internet explorer you would need to do the following:

for Internet Explorer:

1.)  Join your computer to your kerberos Domain.

2.)  login to your pc using a kerberos domain user.

3.)  Setup the following for IE:

a.)  go to Tools -> Internet Options -> Click on the “Security” tab.

b.) Click on “Local Intranet” and then “Sites”

c.) Then Click on “Advanced”, Enter your site address here and click “Add”, then “Close”

4.)  Now you should be able to authenticate to your site using kerberos.

for Firefox:

1.) Join your computer to your kerberos domain which is usually your active directory domain.

2.) Login to your pc using a kerberos domain user which is usually your act ive directory users.

3.) In Firefox go to the address bar and enter “about:config” without the quotes.

4.) Filter for the following:  network.negotiate-auth.trusted-uris and set the value to your website for example:  http://support.acme.com,http://support.company.com

5.) Then set the following:  network.negotiate-auth.using-native-gsslib to true.

5.) Then leave the page and go to your website and you should be able to login.

Leave a Reply

preload preload preload