At my company there are several internal Windows web servers using AD and Kerberos single sign on. That means, on a Windows computer with Internet Explorer, I dont need to authenticate to access those web servers. Using Firefox, I have to give username and password to each and every site. This article tells how I made single sign on work with firefox.
Ubuntu (Natty) client with Firefox 4
First, Kerberos needs to be installed, which obviously was not default in Ubuntu Natty. When running kinit I got the following:
$ kinit No command 'kniit' found, did you mean: Command 'kinit' from package 'heimdal-clients' (universe) Command 'kinit' from package 'krb5-user' (main)
I guessed correctly and installed krb5-user:
$ sudo apt-get install krb5-user
That installation asked me for my realm (or something), and I gave the internal DNS domain name, which is on the form:
The servers I want to access are called things like:
http://intranet.ad.mycompany.intra http://server321.ad.mycompany.intra http://portal.ad.mycompany.intra
This realm was then stored in the kerberos configuration file:
# /etc/krb5.conf [libdefaults] default_realm = AD.MYCOMPANY.INTRA
Now running kinit asked me for my password, I authenticated successfully. My username on my Ubuntu client happened to be the same as my username in Active Directory:
zo0ok@zo0ok-workstation:~$ kinit Password for zo0ok@AD.MYCOMPANY:INTRA: zo0ok@zo0ok-workstation:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: zo0ok@AD.MYCOMPANY.INTRA Valid starting Expires Service principal 05/26/11 13:10:39 05/26/11 23:11:09 krbtgt/AD.MYCOMPANY.INTRA@AD.MYCOMPANY.INTRA renew until 05/27/11 13:10:39 zo0ok@zo0ok-workstation:~$ kdestroy zo0ok@zo0ok-workstation:~$
Above example authenticates, lists my tickets and destroys them.
Now it is time for Firefox configuration. In the URL-field, type about:config. You may get a warning about dangerous things and voiding warranty. Proceed and you get to a page with very many configurations. We want to set:
network.negotiate-auth.trusted-uris = .ad.mycompany.intra
I have been told the . before ad is important. Not sure. It should also be possible to include more servers/domains using , between them. I dont know exactly how flexible the field is, but the above setting works for me.
Now, I can single sign on to internal webpages using Firefox on Linux! Note that I have to authenticate using the “kinit” command. It does not work to authenticate to one site in Firefox, and hope to get SSO to all the others.