Index | Prev | Next

Browser-specific setup

In order to use Kerberos authentication in browser access of a station, a few things need to be configured on your local (browser) client PC (in addition to the Browser-independent setup).

First, make sure you can connect to the station using a fully qualified domain name, rather than an IP address. When authenticating via Kerberos via a browser, the browser assumes that if you are on an address “http://some.domain.come/somepage”, then you are trying to access the service “HTTP/some.domain.com” in the Kerberos database.

Since Kerberos processes names and not IPs, your IP must be mapped to the name of the service that is intended to use. If the correct entry is already in your DNS server, you do not need to do anything additional. If not, you can edit your client PC’s hosts file to add an entry similar to:

nnn.nnn.nnn.nnn     some.domain.com

For example,

172.16.10.10      kerbtest2.tridium.net

Where the IP address above maps to the Kerberos service associated with kerbtest2 on tridium.net.

Note that hosts file method is acceptable for testing, but not so good once the site is live and many people need to access it.

Next, you’ll need to set up your browsers to use Kerberos. As each browser is different, a separate procedure is given for the following popular browsers:

Firefox

Using Firefox for browser access (as a Kerberos authenticated LDAP user) to a NiagaraAX station requires some client side setup. For prerequisites, see Browser-independent setup and Browser-specific setup.

Configuring Firefox to use Kerberos for LDAP

To configure Firefox on a client LDAP host to use Kerberos:

  1. Open a Firefox window.

  2. Type “about:config” in the location bar and press Enter.

    If a warning appears, continue on (“Promise to be careful”).

  3. In the Search box near the top of the page, type “negotiate”. This filters to six or seven attributes.

  4. Edit the following two entries:

    • network.negotiate-auth.delegation-uris

    • network.negotiate-auth.trusted-uris

    Set each to include the uris of the station(s) you will be accessing via the browser, using a comma to separate if multiple stations.

    For example, if accessing stations using the URLs http://host1.domain.com/somepage, and http://host2.domain.com/somepage, enter the value in these fields to:

    host1.domain.com,host2.domain.com

Firefox should now be ready for Kerberos authentication. You should now be able to log in to stations without being prompted for a username and password.

NoteAt the time of this document, only Windows-based stations (Supervisor, AX SoftJACE, or JACE-NXT) or Linux-based stations support the “SSO login feature” from a browser. QNX-based JACE stations do not, and so require LDAP user login. For related details, see Browser access via Kerberos.

Internet Explorer

Using Internet Explorer for browser access (as a Kerberos authenticated LDAP user) to NiagaraAX stations requires some client side setup. For prerequisites, see Browser-independent setup and Browser-specific setup.

Configuring Internet Explorer to use Kerberos for LDAP

To configure Internet Explorer on a client LDAP host to use Kerberos, you must change security settings.

  1. Open an Internet Explorer window.

  2. On the menu bar, go to Tools->Internet Options

  3. In the Internet Options dialog, click the Security tab, and select the Local intranet zone.

  4. Click the Sites button, and in the popup click Advanced.

    Another popup appears to “Add a website to this zone”.

  5. Type in the URL for a station and click Add.

    For example, http://host1.domain.com

    or, for SSL use (if HTTPS is enabled), https://host1.domain.com

    If multiple stations, repeat each time by typing in the URL and clicking Add.

  6. When done adding stations, click Close then Ok to return to the Security tab.

  7. With the Local intranet zone selected, click the Custom level... button.

    A popup Security Settings - Local intranet dialog appears.

  8. Scroll down to the “User Authentication” section (near the bottom), and select “Automatic logon only in Intranet zone” to use Kerberos authentication without a prompt. If you prefer to be prompted, select the option to “Prompt for user name and password”.

  9. Click OK twice to close the Internet Options dialog.

Internet Explorer should now be ready for Kerberos authentication. You should now be able to log in to stations without being prompted for a username and password.

NoteAt the time of this document, only Windows-based stations (Supervisor, AX SoftJACE, or JACE-NXT) or Linux-based stations support the “SSO login feature” from a browser. QNX-based JACE stations do not, and so require LDAP user login. For related details, see Browser access via Kerberos.

Chrome

Using Google Chrome for browser access (as a Kerberos authenticated LDAP user) to NiagaraAX stations requires some client side setup. For prerequisites, see Browser-independent setup and Browser-specific setup.

To configure Google Chrome on a client LDAP host to use Kerberos, you must change security settings to be like those on Internet Explorer, as well as specify additional startup arguments.

Configuring Google Chrome security to use Kerberos for LDAP

  1. Open a Google Chrome window.

  2. From the customize menu, select Settings (or type “chrome:settings” in the location bar and press Enter) for the “Chrome Settings” page. Click “Show advanced settings...” (near the bottom).

  3. Scroll down to the section Network, and click the Change proxy settings... button.

  4. In the Internet Options dialog, click the Security tab, and select the Local intranet zone.

  5. Click the Sites button, and in the popup click Advanced.

    Another popup appears to “Add a website to this zone”.

  6. Type in the URL for a station and click Add.

    For example, http://host1.domain.com

    If multiple stations, repeat each time by typing in the URL and clicking Add.

  7. When done adding stations, click Close then Ok to return to the Security tab.

  8. With the Local intranet zone selected, click the Custom level... button.

    A popup Security Settings - Local intranet dialog appears.

  9. Scroll down to the “User Authentication” section (near the bottom), and select “Automatic logon only in Intranet zone” to use Kerberos authentication without a prompt. If you prefer to be prompted, select the option to “Prompt for user name and password”.

  10. Click OK twice to close the Internet Options dialog.

  11. Close all Chrome windows. See Configuring Google Chrome startup arguments.

Configuring Google Chrome startup arguments

When you start Chrome (chrome.exe), you need the following two arguments appended:

--auth-negotiate-delegate-whitelist=”host1.domain.com” ” --auth-server-whitelist=”host1.domain.com

Where the URL for the station(s) is in quotation marks as shown above. Note if multiple stations, use a comma to separate each one, as shown below.

--auth-negotiate-delegate-whitelist=”host1.domain.com”,”host2.domain.com” ” --auth-server-whitelist=”host1.domain.com”,”host2.domain.com

If starting Chrome from a command line, append the arguments above to the end of the command.

If starting Chrome from a shortcut, do the following:

  1. Right-click the shortcut used to start Chrome and select “Properties”.

  2. From the “Shortcut” tab, click in the “Target” field, and go to the end (click End).

  3. Append the arguments as shown above to the command (after any quotation marks that may already be there).

  4. Click OK to save the shortcut.

Google Chrome should now be ready for Kerberos authentication. You should now be able to log in to stations without being prompted for a username and password.

NoteAt the time of this document, only Windows-based stations (Supervisor, AX SoftJACE, or JACE-NXT) or Linux-based stations support the “SSO login feature” from a browser. QNX-based JACE stations do not, and so require LDAP user login. For related details, see Browser access via Kerberos.

Index | Prev | Next

Copyright © 2000-2014 Tridium Inc. All rights reserved.