Symantec Access Management

  • Private Community

  • 1.  SM 12.52 - Kerberos in Chrome and Safari

    Posted Mar 28, 2014 06:18 PM

    Anyone have any luck with Kerberos / SPNEGO with Chrome and Safari on 12.52?

    It works just fine on those browsers for us when using OpenSSO or direct IIS IWA (negotiate:Kerberos), but so far SiteMinder Kerberos does not work with either Chrome 33.x or Safari 5.x. It only works with Firefox and IE. The browsers are properly configured unless SiteMinder needs something special - they work for all non-SM Kerberos protected apps. 

    The error in the logs is just "Unable to Obtain Kerberos Token", but if you run klist you clearly see the ticket was set.

    Chrome:

    1. Run klist purge to clear all tickets
    2. Access the Kerberos protected resource mykerb.com/krb
      1. Browser redirects to ../smgetcred.kcc (proper) with 401
      2. Browser hangs for ~5 seconds
      3. Browser loops between ../smgetcred.kcc 401 and 302 Redirect
      4. Chrome throws "Redirect Loop" error and stops
    3. Run klist and see the Kerberos ticket was set with proper HTTP/mykerb.com 

    Safari

    1. Run klist purge to clear tickets
    2. Access the Kerberos protected resource mykerb.com/krb
      1. Browser redirects to ../smgetcred.kcc with 401
      2. Browser hangs for a second
      3. Browser loops and never ends


  • 2.  RE: SM 12.52 - Kerberos in Chrome and Safari
    Best Answer

    Posted Mar 31, 2014 11:35 AM

    Ok, so the issue with Chrome was that Delegation (--auth-negotiate-delegate-whitelist) was not set, but the normal server-whitelist only (--auth-server-whitelist). This allowed IIS/OpenSSO to function but not SiteMinder.

    For Windows the following worked:

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --auth-server-whitelist="*.mykerb.com" --auth-negotiate-delegate-whitelist="*.mykerb.com"

    For Mac:

    open -n -a 'Google Chrome.app' --args --auth-server-whitelist="*.mykerb.com" --auth-negotiate-delegate-whitelist="*.mykerb.com"

     

     



  • 3.  RE: SM 12.52 - Kerberos in Chrome and Safari

     
    Posted Apr 01, 2014 04:44 PM
    cbertagnolli:

    Ok, so the issue with Chrome was that Delegation (--auth-negotiate-delegate-whitelist) was not set, but the normal server-whitelist only (--auth-server-whitelist). This allowed IIS/OpenSSO to function but not SiteMinder.

    For Windows the following worked:

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --auth-server-whitelist="*.mykerb.com" --auth-negotiate-delegate-whitelist="*.mykerb.com"

    For Mac:

    open -n -a 'Google Chrome.app' --args --auth-server-whitelist="*.mykerb.com" --auth-negotiate-delegate-whitelist="*.mykerb.com"

     

     


    Thanks for sharing your resolution with the community!