lilongen · April 15, 2022 04:46
diff --git a/mac.chrome.access.hadoop.secure.webui b/mac.chrome.access.hadoop.secure.webui
 1.a /etc/krb5.conf
 1.b export KRB5_CONFIG=/etc/krb5.conf 
 2. kinit 
 3. "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --auth-server-whitelist="*" --auth-negotiate-delegate-whitelist="*"

 Issue & solutions:
 I_1: Kerberos kinit: Unknown credential cache type while getting default ccache
 A: Just comment the attribute default_ccache_name
 https://stackoverflow.com/questions/48836113/kerberos-kinit-unknown-credential-cache-type-while-getting-default-ccache


 # reference
 https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM#chrome


 Within a Mac OS Terminal shell use the following command:
 You will need to get an initial ticket granting ticket (TGT) from your Kerberos KDC (domain controller) in order to request service tickets for the IWA Adapter:
 >kinit [email protected]
 [email protected]'s Password: (password here)

 Now, cd into the Chrome directory and start Chrome with the AuthServerWhitelist parameter:
 >cd /Applications/Google Chrome.app/Contents/MacOS
 >./"Google Chrome" --auth-server-whitelist="*.adexample.pingidentity.com"

 Note: There's a second policy that one may want to set, AuthNegotiateDelegateWhitelist, to point Chrome to a particular server to delegate credentials to.
 Add this parameter to the above command by specifying --auth-negotiate-delegate-whitelist="*.adexample.pingidentity.com"
 If this parameter is not set, Chrome will not delegate user credentials even if a server is detected as being on the Intranet.

 Once configured, this setting will persist every time Chrome is launched.  You will still need to run kinit every 10 hours in order to allow Chrome to request service tickets for the IWA adapter.
	1.a /etc/krb5.conf
	1.b export KRB5_CONFIG=/etc/krb5.conf
	2. kinit
	3. "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --auth-server-whitelist="" --auth-negotiate-delegate-whitelist=""

	Issue & solutions:
	I_1: Kerberos kinit: Unknown credential cache type while getting default ccache
	A: Just comment the attribute default_ccache_name
	https://stackoverflow.com/questions/48836113/kerberos-kinit-unknown-credential-cache-type-while-getting-default-ccache


	# reference
	https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM#chrome


	Within a Mac OS Terminal shell use the following command:
	You will need to get an initial ticket granting ticket (TGT) from your Kerberos KDC (domain controller) in order to request service tickets for the IWA Adapter:
	>kinit [email protected]
	[email protected]'s Password: (password here)

	Now, cd into the Chrome directory and start Chrome with the AuthServerWhitelist parameter:
	>cd /Applications/Google Chrome.app/Contents/MacOS
	>./"Google Chrome" --auth-server-whitelist="*.adexample.pingidentity.com"

	Note: There's a second policy that one may want to set, AuthNegotiateDelegateWhitelist, to point Chrome to a particular server to delegate credentials to.
	Add this parameter to the above command by specifying --auth-negotiate-delegate-whitelist="*.adexample.pingidentity.com"
	If this parameter is not set, Chrome will not delegate user credentials even if a server is detected as being on the Intranet.

	Once configured, this setting will persist every time Chrome is launched. You will still need to run kinit every 10 hours in order to allow Chrome to request service tickets for the IWA adapter.