Skip to content

Kerberos authentication

Kerberos authentication lets you log in into CERN websites with a single click when you are already logged in in your system. It is enabled by default in all the centrally managed Windows machines at CERN, and it can also be configured in other devices.

System configuration

Linux

Please check the Linux @ CERN documentation on how to configure and use Kerberos in Linux.

Windows

Kerberos works out of the box in Windows computers managed by NICE Services. To set up Kerberos in an OEM Windows setup, you can get help from Windows Support.

Mac

Kerberos can be enabled using the inbuilt Ticket Viewer application.

Web browser settings

Mozilla Firefox

Firefox does not automatically perform Kerberos authentication against any sites. You must manually add sites to a trusted sites list.

To enable Kerberos authentication in Firefox:

  • Open Firefox and enter about:config in the address bar. Dismiss any warnings that appear.
  • In the Filter field, enter negotiate.
  • Double-click the network.negotiate-auth.trusted-uris preference. This preference lists the trusted sites for Kerberos authentication.
  • In the dialog box, enter cern.ch.
  • Click the OK button.
  • The domain that you just entered in the network.negotiate-auth.trusted-uris should now appear in Value column. The setting takes effect immediately; you do not have to restart Firefox.

Google Chrome

  • On Windows, the newest versions of Chrome work out of the box when the system is correctly configured (check Windows above).
  • On Linux, Chrome or Chromium must be started with the --auth-server-allowlist parameter (this parameter was called --auth-server-whitelist before chrome-86):
    • google-chrome --auth-server-allowlist="auth.cern.ch,login.cern.ch"
    • chromium --auth-server-allowlist="auth.cern.ch,login.cern.ch"
    • you may also create a group-policy for chrome by creating the file /etc/opt/chrome/policies/managed/cern_kerberos_allow.json with the content 
      {
"AuthServerAllowlist": "auth.cern.ch,login.cern.ch"
}
  • On Mac, run the following in your terminal defaults write com.google.Chrome AuthServerAllowlist "auth.cern.ch,login.cern.ch"

Note: if you experience issues please make sure that the legacy parameter auth-server-whitelist has been removed.

Microsoft Edge

Kerberos works out of the box in Edge when the system is correctly configured (check Windows above).