Stations set up to use Kerberos authentication allow users to log in with a single click, rather than requiring a username and password. If you are connecting to an LDAP/Kerberos station, you will be presented with a new login form, which gives you the option of bypassing the username/password form.
In order to use this Single Sign-On feature, you need to have your PC correctly configured.
The Single Sign-On feature makes use of the fact that you already logged in to your computer, and reuses those credentials to authenticate to the station. If you are on a device that did not require you to log in (e.g. a smartphone), you will not be able to use this feature, and should use the standard username/password form.
You should also be logged in to the same domain as the station. The station's domain will appear on the alternate login button. This should match the domain you see when you log on to your computer.
Each browser must be specially configured to allow your credentials to be given to the station. It's a little bit of set up the first time around, but once it's done you can benefit from Single Sign-On, and not worry about entering your username and password repeatedly. The following sections contain instructions on setting up the different browsers.
For internet explorer, you will have to change the security settings to allow Kerberos authentication. Go to Tools > Internet Options (you may need to run IE as administrator to access it).
Go the security tab, select "Local intranet", and click the "Sites" button and then click the "Advanced" button on the dialog that pops up. Type in the URL for your station and Add it to the zone.
Go back to the security tab, and make sure you still have "Local intranet" selected. Click the "Custom level" button. Find the "User Authentication" section (probably at the bottom), and select "Automatic logon only in Intranet zone" to use Kerberos authentication without a prompt. If you prefer to be prompted, select the "Prompt for user name and password" option.
For Chrome, you will need to have all the same settings set as Internet Explorer. In addition,
you will need to add the following arguments when you start up Chrome:
--auth-negotiate-delegate-whitelist="some.domain.com" --auth-server-whitelist="some.domain.com"
(where some.domain.com is the URL for your station).
If you are starting Chrome in the command line, simply append the arguments to the end of the command.
If you use a shortcut, right-click the shortcut and select "Properties". Go to the "Shortcut" tab, and append the arguments above to the end of the "Target" field (after any quotation marks that may already be in there).
Chrome should be ready for Kerberos. You will be able to log in to the station without being prompted for a username and password.
To set up Firefox to use Keberos, type "about:config" in the URL box. There will be a warning, but if you "Promise to be careful", you can then go and edit your settings.
In the search box at the top of the page, type "negotiate" to filter the preferences. You will need to edit:
Set these to be the uri of the station you will be trying to access via the browser. If you will be accessing your station using the URL "http://some.domain.com/somepage", you would enter "some.domain.com" in these fields.
Firefox should be ready for Kerberos. You will be able to log in to the station without being prompted for a username and password.