Enable Kerberos Authentication

PEM 8.1 onwards supports Kerberos Authentication. So you need to set up the Kerberos authentication at the time of configuring the PEM Server. For more details, see PEM Installation Guides.

Principal and Keytab file for PEM Webserver (apache/HTTP) and PEM Backend Database

  • Add the principal and generate the keytab file for PEM webserver (apache/HTTP) and copy it to the machine where the PEM webserver resides. Ensure that the operating system user owning the PEM Webserver is the owner of this file and accessible by that user.

  • Add the principal and generate the keytab file for the PEM backend database server and copy it to the machine where the PEM backend database resides. Ensure that the operating system user owning the PEM backend database server data directory is the owner of this file and accessible by that user.

Configuration settings

To enable Kerberos authentication for PEM, you must configure the following parameters in config_setup.py on the system where the PEM Server is installed.

  • PEM_APP_HOST- Specify the name of the PEM Webserver Hostname. Please note that if it is not set, then it will take the value of the default_server parameter.

  • PEM_AUTH_METHOD- Set the value to kerberos to use kerberos authentication.

Browser settings to configure Kerberos Authentication

You need to do the browser settings on the client machine to use the Spnego/Kerberos.

  • For Mozilla Firefox

    • Open the low level Firefox configuration page by loading the about:config page.

    • In the Search text box, enter: network.negotiate-auth.trusted-uris

    • Double-click the network.negotiate-auth.trusted-uris preference and enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Separate multiple domains and hostnames with a comma.

    • Click OK.

  • For Google Chrome

    • For Windows:

      • Open the Control Panel to access the Internet Options dialog.

      • Select the Security tab.

      • Select the Local Intranet zone and click the Sites button.

      • Make sure that the first two options, Include all local (intranet) sites not listed in other zones and Include all sites that bypass the proxy server are checked.

      • Click Advanced and add the names of the domains that are protected by Kerberos HTTP SPNEGO, one at a time, to the list of websites. For example, myhost.example.com. Click Close.

      • Click OK to save your configuration changes.

    • For Linux or MacOS:

      • Add the --auth-server-whitelist parameter to the google-chrome command. For example, to run Chrome from a Linux prompt, run the google-chrome command as follows:

      google-chrome --auth-server-whitelist = "hostname/domain"