{question}
How to use Kerberos authentication with a web browser and SingleStore Studio?
{question}
{answer}
To use Kerberos with modern web browsers, we have to allow the domains where the Kerberos server is hosted.
MacOS
Chrome (or Chromium-based browsers like Edge, Brave, etc):
We need to launch the command with the AuthServerAllowlist (--auth-server-allowlist) and AuthNegotiateDelegateAllowlist(--auth-negotiate-delegate-allowlist) flags. We can run this when launching the application, or we can use defaults on MacOS to have this setting set every time we open the application:
defaults write com.google.Chrome AuthServerAllowlist '.YOURKERBDOMAIN.COM'
defaults write com.google.Chrome AuthNegotiateDelegateAllowlist '.YOURKERBDOMAIN.COM'
Running these two commands and completely restarting Chrome (make sure to quit it completely so there is no tick under the icon in the dash) will allow us to use Kerberos auth if you have a ticket.
If users utilize other Chromium-based browsers (Edge, Brave, etc.), we can find the domain name (com.google.Chrome in the above command for Chrome), by running defaults domains to pull a list of all domains in the system--- then replace com.google.Chrome with the appropriate domain for the chromium-based browser we are using.
Firefox:
We need to make sure Firefox is allowed to use CAs added to the local trust store by going into about:config and searching for security.enterprise_roots.enabled. Change the value from false to true and restart Firefox.
Afterward (or before we restart) go about:config again and search for negotiate-auth. We'll want to update two config settings
network.negotiate-auth.delegation-uris(This is equivalent to Chrome'sAuthServerAllowlist)network.negotiate-auth.trusted-uris(This is equivalent to Chrome'sAuthNegotiateDelegateAllowlist)
In this case, we'll update them both to the same value as in Chrome: .YOURKERBDOMAIN.COM.
Afterward, Kerberos Authentication in Studio should work as long as the user has a ticket available on their machine.
Linux
Firefox:
Go into about:config again and search for negotiate-auth. You'll want to update two config settings
network.negotiate-auth.delegation-uris(This is equivalent to Chrome'sAuthServerAllowlist)network.negotiate-auth.trusted-uris(This is equivalent to Chrome'sAuthNegotiateDelegateAllowlist)
In this case, you'll update them both to the same value as in Chrome: .YOURKERBDOMAIN.COM
Windows
Firefox:
Go into about:config again and search for negotiate-auth. You'll want to update two config settings
network.negotiate-auth.delegation-uris(This is equivalent to Chrome'sAuthServerAllowlist)network.negotiate-auth.trusted-uris(This is equivalent to Chrome'sAuthNegotiateDelegateAllowlist)
In this case, you'll update them both to the same value as in Chrome: .YOURKERBDOMAIN.COM.
{answer}