Google Chrome on Mac OS X with Kerberos

Question

Is it possible to use Kerberized Websites with Google Chrome on Mac OS X?

Answer 1

With MacOS 10.11 (El Capitan) (maybe even 10.10 not sure about this) you run the following commands in your Terminal:

$ defaults write com.google.Chrome AuthServerWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com" 

Then you restart (if it is running) Google Chrome and et voila it should accept the Kerberos ticket on your system.

This should persist updates.

Answer 2

I noticed today with Chrome 101 that I was no longer able to access Kerberos protected resources and it looks to because the config options have changed their name. The site that alerted me to this was: https://gitlab.com/Mactroll/NoMAD/-/issues/402 and the fix for me was to set the new config options with:

$ defaults write com.google.Chrome AuthServerAllowlist "*.example.com"
$ defaults write com.google.Chrome AuthNegotiateDelegateAllowlist "*.example.com"

then I removed the old settings:

$ defaults remove com.google.Chrome AuthServerWhitelist
$ defaults remove com.google.Chrome AuthNegotiateDelegateWhitelist

Then after restarting Chrome Kerberos was back working.

Answer 3

Chrome's Kerberos website whitelist can be configured system-wide using policies. See Mac Quick Start, then configure AuthServerWhitelist in the policy.

Answer 4

Indeed it is, you have to white list the Websites you like through a command line argument.

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="example.com"

You can use asterisk to include sub domains: "*example.com".

As this is cumbersome to do every day, you can move the executable to Google Chrome0 and afterwards put this script at the place of Google Chrome (don't forget to chmod +x Google\ Chrome):

#!/bin/sh$
ABSPATH=$(cd "$(dirname "$0")"; pwd)$
"$ABSPATH/Google Chrome0" --auth-server-whitelist="*example.com"

This will most probably be overwritten if you update Chrome.