Configure Kerberos single sign-on for ChromeOS devices

For administrators who manage ChromeOS devices for a business or school.

As an admin, you can use Kerberos tickets on ChromeOS devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on.

Requirements

Kiosks are not currently supported.
Active Directory environment.

Set up Kerberos

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Devices > Hero > Settings. The User & browser settings page opens by default.
Requires having the Mobile Device Management administrator privilege.

If you signed up for Hero Enterprise Core, go to Menu Hero browser > Settings.
(Optional) At the top, click Managed guest session settings.
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
Go to Kerberos.
Click Kerberos tickets.
Select Enable Kerberos.
(Optional) (Users & browsers only) Automatically request Kerberos tickets for users when they sign in.
1. Select Automatically add a Kerberos account.
2. Enter the Principal name. ${LOGIN_ID} and ${LOGIN_EMAIL} placeholders are supported.
3. Select Use default Kerberos configuration. Or, select Customize Kerberos configuration and specify the Kerberos configuration that you need to support your environment. For details, see Configure how to get tickets.
  Note: You should review your Kerberos configuration, krb5.conf. The default configuration enforces strong AES encryption which might not be supported by every part of your environment.
Click Save. Or, you might click Override for an organizational unit .
To later restore the inherited value, click Inherit (or Unset for a group).

Configure how Kerberos can be used on devices

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Devices > Hero > Settings. The User & browser settings page opens by default.
Requires having the Mobile Device Management administrator privilege.

If you signed up for Hero Enterprise Core, go to Menu Hero browser > Settings.
(Optional) At the top, click Managed guest session settings.
To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Network.
Configure allowed authentication servers:
1. Click Integrated authentication servers.
2. Enter URLs of websites that are protected by Kerberos. Users can use their active ticket to access the servers that you list, without having to sign in.
  Note: You can add multiple server names, separated with commas. Wildcards, *, are allowed. Don’t include wildcards in the domain name. For example, avoid adding *example.com to the list. Here is a sample list *.example.com, example.com.
3. Click Save.
(Users & browsers only) Configure allowed servers for delegation:
1. Click Kerberos delegation servers.
2. Enter URLs of the servers that Hero can delegate to.
  Note: You can add multiple server names, separated with commas. Wildcards, *, are allowed.
3. Click Save.
(Users & browsers only) Specify whether to respect Key Distribution Center (KDC) policy to delegate Kerberos tickets:
1. Click Kerberos ticket delegation.
2. Choose an option:
  - Respect KDC policy
  - Ignore KDC policy
3. Click Save. Or, you might click Override for an organizational unit .
  To later restore the inherited value, click Inherit (or Unset for a group).
(Users & browsers only) Specify the source of the name used to generate the Kerberos service principal name (SPN).
1. Click Kerberos service principal name.
2. Choose an option:
  - Use canonical DNS name
  - Use original name entered
3. Click Save. Or, you might click Override for an organizational unit .
  To later restore the inherited value, click Inherit (or Unset for a group).
(Users & browsers only) Specify whether the generated Kerberos SPN should include a non-standard port.
1. Click Kerberos SPN port.
2. Choose an option:
  - Include non-standard port
  - Do not include non-standard port
3. Click Save. Or, you might click Override for an organizational unit .
  To later restore the inherited value, click Inherit (or Unset for a group).
(Users & browsers only) Specify whether third-party sub-content on a page is allowed to pop-up an HTTP basic authentication dialog box.
1. Click Cross-origin authentication
2. Choose an option:
  - Allow cross-origin authentication
  - Block cross-origin authentication
3. Click Save. Or, you might click Override for an organizational unit .
  To later restore the inherited value, click Inherit (or Unset for a group).

What users can do

Add a ticket

Set active ticket

Refresh a ticket and modify configuration

Tickets are configured on the device to have a lifetime of 1 day, but the Active Directory server limits that validity to 10 hours, by default. You can learn more about how to change these values in the Configure how to get tickets section above. Tickets can also be automatically renewed without users having to re-enter their username and password for the period of time configured in renew_lifetime. That lifetime can also be configured on ChromeOS devices and is capped at a limit configured on the Active Directory server, as explained in the Configure how to get tickets section above. By default, the renew_lifetime is zero, 0, on ChromeOS devices, meaning that the tickets won’t be auto-renewed. When a ticket expires and can’t automatically refresh, users see a message telling them that they need to refresh the ticket manually. If users let the active ticket expire, Kerberos authentication no longer works until they refresh the ticket.

If you haven't yet, sign in to a managed ChromeOS device.
At the bottom right, select the time.
Click Settings .
In the Kerberos section, click Kerberos tickets.
Find the ticket that you want to refresh.
On the right, click More Refresh now.
Enter your Active Directory username and password.
Note: ChromeOS only supports the user@domain notation, not the domain/user notation.
(Optional) To automatically refresh the ticket, check the Remember password checkbox.
(Optional) Edit the configuration file.:
1. Click Advanced.
2. Change Kerberos configuration information, such as ticket lifetime, encryption types, and domain-realm mappings. For details, see the Configure how to get tickets section above.
3. Click Save.
Click Refresh.

Additional information

If the policy to automatically add tickets during sign-in is configured for the user, the following applies:
- The sign-in password will be used as the Active Directory password.
- The ticket cannot be automatically created if users sign in without a password, for example using PIN or fingerprint. In those cases, the user will need to manually refresh the ticket, providing the Active Directory password in the settings page.
- Locking/unlocking the device does not initiate an automatic ticket refresh.
- Users cannot persist a password while refreshing a ticket that was automatically added by policy. Auto-refreshing of those tickets will always use the sign-in password.
ChromeOS devices try to automatically refresh tickets for which a password is stored. That can be the sign-in password for policy-created tickets, or the Remembered password for manually created tickets.
There is no guarantee that tickets will be auto-refreshed every time, because all the scheduled refresh attempts might fail - For example, if the device is put on sleep mode or if there are network issues. In such cases, users need to manually refresh the ticket on the settings page. Or, if configured by policy, sign out and in again to automatically get a new ticket.

Remove a ticket

Configure how to get tickets

Users can modify the Kerberos configuration, krb5.conf, when they add a new ticket or refresh an existing ticket. The ChromeOS code that interacts with the Kerberos key distribution center (KDC) is based on the MIT Kerberos library. For configuration details, go to MIT Kerberos documentation. However, we do not support all options.

Here is a list of the options that ChromeOS supports:

Section	Relation
`[libdefaults]`	`canonicalize` `clockskew` `default_tgs_enctypes` `default_tkt_enctypes` `dns_canonicalize_hostname` `dns_lookup_kdc` `extra_addresses` `forwardable` `ignore_acceptor_hostname` `kdc_default_options` `kdc_timesync` `noaddresses` `permitted_enctypes` `preferred_preauth_types` `proxiable` `rdns` `renew_lifetime` `ticket_lifetime` `udp_preference_limit`
`[realms]`	`admin_server` `auth_to_local` `kdc` `kpasswd_server` `master_kdc`
`[domain_realm]`	Any value
`[capaths]`	Any value

Example: Request a different ticket lifetime

[libdefaults]

ticket_lifetime = 16h

The example requests a ticket valid for 16 hours. The lifetime might be limited server-side, where the default is 10 hours.

To change the server-side limit:

Open your Group Policy Management Console.
Go to SettingsSecurity settingsAccount policiesKerberos policy.
Modify the Maximum lifetime for user ticket policy.

Example: Request a different ticket renewal lifetime

[libdefaults]

renew_lifetime = 14d

The example requests a ticket that can be renewed for 14 days. The renewal lifetime might be limited server-side, where the default is 7 days.

To change the server-side limit:

Open your Group Policy Management Console.
Go to SettingsSecurity settingsAccount policiesKerberos policy.
Modify the Maximum lifetime for user ticket renewal policy.

Troubleshoot

In general, you can troubleshoot problems using the kinit command line tool on Linux. ChromeOS is Linux-based and the Kerberos tickets implementation uses kinit. So, if you can get a Kerberos ticket using kinit on Linux, you should also be able to get a ticket on ChromeOS with the same configuration.

Error message: KDC does not support encryption type

Error message: Contacting server for realm failed

Verify that you entered the correct Kerberos username.
The Kerberos username, [email protected], consists of:
- User sign-in name, also known as sAMAccountName
- Kerberos realm, that usually matches the Windows domain name
Make sure that the network connection is set up correctly.
Ensure that the server can be reached from the ChromeOS device at the standard Kerberos port 88.
Verify that DNS is set up correctly.
Kerberos requests certain DNS SRV records to find the DNS domain name of the Kerberos service. For instance, if the login domain, or realm, is example.com and the DNS domain name of the only Kerberos service is dc.example.com, the following DNS SRV records should be added:

Service	Protocol	Weight	Port	Target (Hostname)
_kerberos	_udp.dc._msdcs	100	88	dc.example.com
_kerberos	_tcp.dc._msdcs	100	88	dc.example.com
_kerberos	_udp	100	88	dc.example.com
_kerberos	_tcp	100	88	dc.example.com
_kerberos-master	_udp.dc._msdcs	100	88	dc.example.com
_kerberos-master	_tcp.dc._msdcs	100	88	dc.example.com
_kerberos-master	_udp	100	88	dc.example.com
_kerberos-master	_tcp	100	88	dc.example.com

If you cannot modify DNS settings, you can add these mappings in the Kerberos configuration.

For example:

[realms]

EXAMPLE.COM = {

kdc = dc.example.com

master_kdc = dc.example.com

}

If you still have problems getting Kerberos tickets, gather system logs. Also collect tcpdump or wireshark logs, if possible. Then, contact support.