Kerberos authentication
Kerberos authentication lets you log in into CERN websites with a single click when you are already logged in in your system. It is enabled by default in all the centrally managed Windows machines at CERN, and it can also be configured in other devices.
System configuration
Linux
Please check the Linux @ CERN documentation on how to configure and use Kerberos in Linux.
Windows
Kerberos works out of the box in Windows computers managed by NICE Services. To set up Kerberos in an OEM Windows setup, you can get help from Windows Support.
Mac
Kerberos can be enabled using the inbuilt Ticket Viewer application.
Web browser settings
Mozilla Firefox
Firefox does not automatically perform Kerberos authentication against any sites. You must manually add sites to a trusted sites list.
To enable Kerberos authentication in Firefox:
- Open Firefox and enter
about:config
in the address bar. Dismiss any warnings that appear. - In the Filter field, enter negotiate.
- Double-click the
network.negotiate-auth.trusted-uris
preference. This preference lists the trusted sites for Kerberos authentication. - In the dialog box, enter
cern.ch
. - Click the OK button.
- The domain that you just entered in the
network.negotiate-auth.trusted-uris
should now appear in Value column. The setting takes effect immediately; you do not have to restart Firefox.
Google Chrome
- On Windows, the newest versions of Chrome work out of the box when the system is correctly configured (check Windows above).
- On Linux, Chrome or Chromium must be started with the
--auth-server-allowlist
parameter (this parameter was called--auth-server-whitelist
before chrome-86):google-chrome --auth-server-allowlist="auth.cern.ch,login.cern.ch"
chromium --auth-server-allowlist="auth.cern.ch,login.cern.ch"
- you may also create a group-policy for chrome by creating the file /etc/opt/chrome/policies/managed/cern_kerberos_allow.json with the content
{ "AuthServerAllowlist": "auth.cern.ch,login.cern.ch" }
- On Mac, run the following in your terminal
defaults write com.google.Chrome AuthServerAllowlist "auth.cern.ch,login.cern.ch"
Note: if you experience issues please make sure that the legacy parameter auth-server-whitelist
has been removed.
Microsoft Edge
Kerberos works out of the box in Edge when the system is correctly configured (check Windows above).