Cloudera Docs

How to Configure Browsers for Kerberos Authentication

How to enable specific web browsers to use SPNEGO to negotiate Kerberos authentication.

The browser configurations below are required only for those browsers used to connect to component web interfaces with the Require Authentication for HTTP Web Consoles configuration property enabled. The settings below enable the respective browser to use SPNEGO to negotiate Kerberos authentication for the browser. The host running the browser must have a valid TGT to authenticate to Kerberos Web Consoles.

Mozilla Firefox

  1. Open the low level Firefox configuration page by loading the about:config page.
  2. In the Search text box, enter: network.negotiate-auth.trusted-uris
  3. Double-click the network.negotiate-auth.trusted-uris preference and enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Separate multiple domains and hostnames with a comma.
  4. Click OK.

Internet Explorer

Follow the steps below to configure Internet Explorer.

Configuring the Local Intranet Domain
  1. Open Internet Explorer and click the Settings gear icon in the top-right corner. Select Internet options.
  2. Select the Security tab.
  3. Select the Local Intranet zone and click the Sites button.
  4. Make sure that the first two options, Include all local (intranet) sites not listed in other zones and Include all sites that bypass the proxy server are checked.
  5. Click Advanced and add the names of the domains that are protected by Kerberos HTTP SPNEGO, one at a time, to the list of websites. For example, myhost.example.com. Click Close.
  6. Click OK to save your configuration changes.
Configuring Intranet Authentication
  1. Click the Settings gear icon in the top-right corner. Select Internet options.
  2. Select the Security tab.
  3. Select the Local Intranet zone and click the Custom level... button to open the Security Settings - Local Intranet Zone dialog box.
  4. Scroll down to the User Authentication options and select Automatic logon only in Intranet zone.
  5. Click OK to save these changes.

Verifying Proxy Settings

Perform these steps only if you have a proxy server already enabled.
  1. Click the Settings gear icon in the top-right corner. Select Internet options.
  2. Select the Connections tab and click LAN Settings.
  3. Verify that the proxy server Address and Port number settings are correct.
  4. Click Advanced to open the Proxy Settings dialog box.
  5. Add the Kerberos-protected domains to the Exceptions field.
  6. Click OK to save any changes.

Google Chrome

For Windows:
  • Open the Control Panel to access the Internet Options dialog. Use the same configuration as detailed in Configuration changes required are the same as those described above for Internet Explorer.
For Linux or MacOS:
  • Add the --auth-server-allowlist parameter to the google-chrome command. For example, to run Chrome from a Linux prompt, run the google-chrome command as follows: 
    > google-chrome --auth-server-allowlist = "hostname/domain"