The experience left a lot to be desired.
To be fair, I have been working with FreeIPA, so Firefox was already mostly configured for SPNEGO, since it already had network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris set for my domain. But that's about the only trick to getting Firefox to work with SPNEGO, and when I went to use it on another server in the same REALM, it appears to be properly sending the correct authentication negotiation headers to the server.
Safari has no such settings, since it relies on the Kerberos setup at the OS level. I have used it with other Apache's mod_auth_kerb module with other servers in the same REALM, so I know it basically just works. For some reason though, the server was not sending back a 401 authentication challenge, so Safari just may not be supported by this application. Que sera sera.
On to Chrome.
Oh my! Chrome requires command line arguments to enable SPNEGO support. There are no preferences in the UI that you can set. There is no .plist or .ini or any other kind of file you can edit to cleanly enable it in a persistent manner. You have to type in this abomination of a command line in a terminal window to run Chrome on a Mac with SPNEGO support:
open '/Applications/Google Chrome.app' --args --auth-server-whitelist="<server>" --auth-negotiate-delegate-whitelist="<server>" --auth-schemes="digest,ntlm,negotiate" https://<server>/
I don't object to using a terminal window; in fact I spend most of my time working in one. But one would think that Google could come up with a more graceful way to handle that. And that's not the only time I've had to resort to that for Chrome -- certain developer options require command line switches to enable as well, but I can forgive them -- a little -- in that case.
(This also implies that it will be a cold day in the Valley before Android tablets will have reasonable SPNEGO support. You can't exactly pass command line options to browsers on tablets without jumping through hoops. After I get the desktop browsers sorted out, I'll have to see just how bad the situation is on the tablet front.)
Moral of this story: out of the 3 major browsers for the Mac, Firefox seems to have the most widely supported and least troublesome Kerberos/SPNEGO support of them all.
Chrome/chromium does support configuration with policy files. Do a google search of AuthServerWhitelist, and have a look there:
ReplyDeletehttp://www.chromium.org/administrators/configuring-other-preferences
Works perfectly on Linux once you've sorted out the precise policy file location, between the distro changes and the Chrome/Chromium discrepencies.
I'm just having a guess that OSX does support this too.
JB