Skip to content

Using Kerberos authentication for CERN Single Sign On (SSO) / firefox

Using Kerberos authentication for CERN Single Sign On (SSO) / firefox

CERN uses Microsoft Active Directory Federation Services (ADFS) to provide Single Sign-On (SSO) to provide authentication/authorization services for web applications. ADFS supplies multiple authentication mechanisms: NTLM, Certificates, Username/Password (Forms) based and also Kerberos.

This documentation outlines the setup process allowing Linux clients to use Kerberos based authentication with CERN SSO using Mozilla Firefox web browser.

While the initial installation of required software is specific to CERN SLC6 and SLC5 Linux distributions, the same functionality shall be applicable on any modern Linux platform - configured for CERN Kerberos realm, running at least Firefox 10.X, with Kerberos authentication enabled (and configured for cern.ch domain).

Software installation for Firefox

As root on your SLC6 or SLC5 system run: 
# yum install mozilla-prefs
once installation of required software packages finishes, please restart Firefox.
(Note: As of SLC6/5 update of 12.03.2012 mozilla-prefs package is pre-installed on all systems.)

Software installation for Chromium

Official documentation explains in details the different options. 
# mkdir -p /etc/opt/chrome/policies/{recommended,managed}
# chmod -w /etc/opt/chrome/policies/managed
# echo '{ "AuthServerWhitelist": "*.cern.ch" }' > /etc/opt/chrome/policies/managed/cern.json
Note: As of chrome/chromium 41 old command line option --auth-server-whitelist is disabled.

Usage

While redirected to CERN Single Sign-On login page (login.cern.ch) for authentication click on Sign in using your current Windows/Kerberos credentials (you may also choose [autologon] next to it)

Note: username/password popup window should not appear
- if it does, please verify the validity of your credentials by running: 
# klist
- its output should show a valid ticket with expiry date in the future: 
Ticket cache: FILE:/tmp/krb5cc_14213_RZEYN11810
Default principal: jpolok@CERN.CH

Valid starting     Expires            Service principal
03/13/12 14:27:29  03/14/12 14:07:50  krbtgt/CERN.CH@CERN.CH
    renew until 03/18/12 12:44:34
This web replaces the old version of the Linux website. Please check linux-old.web.cern.ch for an archived version