For administrators who manage ChromeOS devices for a business or school.
As an admin, you can use Kerberos tickets on ChromeOS devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on.
Requirements
- Kiosks are not currently supported.
- Active Directory environment.
Set up Kerberos
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
- (Optional) At the top, click Managed guest session settings.
-
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
-
Go to Kerberos.
-
Click Kerberos tickets.
-
Select Enable Kerberos.
-
(Optional) (Users & browsers only) Automatically request Kerberos tickets for users when they sign in.
-
Select Automatically add a Kerberos account.
-
Enter the Principal name. ${LOGIN_ID} and ${LOGIN_EMAIL} placeholders are supported.
-
Select Use default Kerberos configuration. Or, select Customize Kerberos configuration and specify the Kerberos configuration that you need to support your environment. For details, see Configure how to get tickets.
Note: You should review your Kerberos configuration, krb5.conf. The default configuration enforces strong AES encryption which might not be supported by every part of your environment.
-
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Configure how Kerberos can be used on devices
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
- (Optional) At the top, click Managed guest session settings.
- To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Network.
- Configure allowed authentication servers:
- Click Integrated authentication servers.
- Enter URLs of websites that are protected by Kerberos. Users can use their active ticket to access the servers that you list, without having to sign in.
Note: You can add multiple server names, separated with commas. Wildcards, *, are allowed. Don’t include wildcards in the domain name. For example, avoid adding *example.com to the list. Here is a sample list *.example.com, example.com. -
Click Save.
- (Users & browsers only) Configure allowed servers for delegation:
- Click Kerberos delegation servers.
- Enter URLs of the servers that Chrome can delegate to.
Note: You can add multiple server names, separated with commas. Wildcards, *, are allowed. -
Click Save.
- (Users & browsers only) Specify whether to respect Key Distribution Center (KDC) policy to delegate Kerberos tickets:
- Click Kerberos ticket delegation.
- Choose an option:
- Respect KDC policy
- Ignore KDC policy
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
- Click Kerberos service principal name.
- Choose an option:
- Use canonical DNS name
- Use original name entered
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
- (Users & browsers only) Specify whether the generated Kerberos SPN should include a non-standard port.
- Click Kerberos SPN port.
- Choose an option:
- Include non-standard port
- Do not include non-standard port
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
- (Users & browsers only) Specify whether third-party sub-content on a page is allowed to pop-up an HTTP basic authentication dialog box.
- Click Cross-origin authentication
- Choose an option:
- Allow cross-origin authentication
- Block cross-origin authentication
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
What users can do
Add a ticket
When users try to access a Kerberos-protected resource, they are given the option to add a ticket or continue without one.
To add a ticket, do the following;
- In the box, click Manage tickets.
- In the Kerberos tickets page, click Add a ticket.
- Enter your Active Directory username and password.
Note: ChromeOS only supports the user@domain notation, not the domain/user notation. - (Optional) To automatically refresh the ticket, keep the Remember password box checked.
- (Optional) Edit the configuration file:
- Click Advanced.
- Change Kerberos configuration information, such as ticket lifetime, encryption types, and domain-realm mappings. For details, see Configure how to get tickets.
- Click Save.
- Click Add.
- Reload the page you are trying to view.
Note: Kerberos requires a certain DNS setup, in particular SRV records for the _kerberos
and _kerberos-master
services. For details, see Troubleshoot below.
Set active ticket
Users can add multiple Kerberos tickets on their ChromeOS devices. But only one ticket can be active and used for authentication at any given time. Users can access resources that require different authorization levels by switching tickets. For example, if certain internal webpages require a Kerberos ticket with a higher privilege level.
- If you haven't yet, sign in to a managed ChromeOS device.
- At the bottom right, select the time.
- Click Settings .
- In the People section, click Kerberos tickets.
- Find the ticket that you want to set active.
- On the right, click More Set as active ticket.
Refresh a ticket and modify configuration
Tickets are configured on the device to have a lifetime of 1 day, but the Active Directory server limits that validity to 10 hours, by default. You can learn more about how to change these values in the Configure how to get tickets section above. Tickets can also be automatically renewed without users having to re-enter their username and password for the period of time configured in renew_lifetime
. That lifetime can also be configured on ChromeOS devices and is capped at a limit configured on the Active Directory server, as explained in the Configure how to get tickets section above. By default, the renew_lifetime
is zero, 0
, on ChromeOS devices, meaning that the tickets won’t be auto-renewed. When a ticket expires and can’t automatically refresh, users see a message telling them that they need to refresh the ticket manually. If users let the active ticket expire, Kerberos authentication no longer works until they refresh the ticket.
- If you haven't yet, sign in to a managed ChromeOS device.
- At the bottom right, select the time.
- Click Settings .
- In the Kerberos section, click Kerberos tickets.
- Find the ticket that you want to refresh.
- On the right, click More Refresh now.
- Enter your Active Directory username and password.
Note: ChromeOS only supports the user@domain notation, not the domain/user notation. - (Optional) To automatically refresh the ticket, check the Remember password checkbox.
- (Optional) Edit the configuration file.:
- Click Advanced.
- Change Kerberos configuration information, such as ticket lifetime, encryption types, and domain-realm mappings. For details, see the Configure how to get tickets section above.
- Click Save.
- Click Refresh.
Additional information
- If the policy to automatically add tickets during sign-in is configured for the user, the following applies:
- The sign-in password will be used as the Active Directory password.
- The ticket cannot be automatically created if users sign in without a password, for example using PIN or fingerprint. In those cases, the user will need to manually refresh the ticket, providing the Active Directory password in the settings page.
- Locking/unlocking the device does not initiate an automatic ticket refresh.
- Users cannot persist a password while refreshing a ticket that was automatically added by policy. Auto-refreshing of those tickets will always use the sign-in password.
- ChromeOS devices try to automatically refresh tickets for which a password is stored. That can be the sign-in password for policy-created tickets, or the Remembered password for manually created tickets.
- There is no guarantee that tickets will be auto-refreshed every time, because all the scheduled refresh attempts might fail—For example, if the device is put on sleep mode or if there are network issues. In such cases, users need to manually refresh the ticket on the settings page. Or, if configured by policy, sign out and in again to automatically get a new ticket.
Remove a ticket
- If you haven't yet, sign in to a managed ChromeOS device.
- At the bottom right, select the time.
- Click Settings .
- In the People section, click Kerberos tickets.
- Find the ticket that you want to remove.
- On the right, click More Remove from this device.
Configure how to get tickets
Section | Relation |
---|---|
[libdefaults] |
|
[realms] |
|
[domain_realm] |
Any value |
[capaths] |
Any value |
Example: Request a different ticket lifetime
[libdefaults]
ticket_lifetime = 16h
The example requests a ticket valid for 16 hours. The lifetime might be limited server-side, where the default is 10 hours.
To change the server-side limit:
- Open your Group Policy Management Console.
- Go to SettingsSecurity settingsAccount policiesKerberos policy.
- Modify the Maximum lifetime for user ticket policy.
Example: Request a different ticket renewal lifetime
[libdefaults]
renew_lifetime = 14d
The example requests a ticket that can be renewed for 14 days. The renewal lifetime might be limited server-side, where the default is 7 days.
To change the server-side limit:
- Open your Group Policy Management Console.
- Go to SettingsSecurity settingsAccount policiesKerberos policy.
- Modify the Maximum lifetime for user ticket renewal policy.
Troubleshoot
In general, you can troubleshoot problems using the kinit command line tool on Linux. ChromeOS is Linux-based and the Kerberos tickets implementation uses kinit
. So, if you can get a Kerberos ticket using kinit
on Linux, you should also be able to get a ticket on ChromeOS with the same configuration.
Error message: KDC does not support encryption type
Google enforces strong AES encryption by default. If you see an error about encryption types, it’s possible that parts of your server environment cannot handle AES encryption. We recommend that you fix this.
Otherwise, consider removing the 3 lines for default_tgs_enctypes
, default_tkt_enctypes
, and permitted_enctypes
from the configuration for development. This will enable all encryption types in MIT Kerberos documentation except the ones marked as weak. Check to make sure that the security implications are acceptable for your needs. Some encryption types are no longer considered strong.
After you confirm that the set of all encryption types works, we recommend that you limit encryption types for default_tgs_enctypes
, default_tkt_enctypes
, and permitted_enctypes
to an appropriate subset of types to minimize security risk.
Error message: Contacting server for realm failed
- Verify that you entered the correct Kerberos username.
The Kerberos username, [email protected], consists of:- User sign-in name, also known as sAMAccountName
- Kerberos realm, that usually matches the Windows domain name
- Make sure that the network connection is set up correctly.
Ensure that the server can be reached from the ChromeOS device at the standard Kerberos port 88. - Verify that DNS is set up correctly.
Kerberos requests certain DNS SRV records to find the DNS domain name of the Kerberos service. For instance, if the login domain, or realm, is example.com and the DNS domain name of the only Kerberos service is dc.example.com, the following DNS SRV records should be added:
Service | Protocol | Priority | Weight | Port | Target (Hostname) |
---|---|---|---|---|---|
_kerberos | _udp.dc._msdcs | 0 | 100 | 88 | dc.example.com |
_kerberos | _tcp.dc._msdcs | 0 | 100 | 88 | dc.example.com |
_kerberos | _udp | 0 | 100 | 88 | dc.example.com |
_kerberos | _tcp | 0 | 100 | 88 | dc.example.com |
_kerberos-master | _udp.dc._msdcs | 0 | 100 | 88 | dc.example.com |
_kerberos-master | _tcp.dc._msdcs | 0 | 100 | 88 | dc.example.com |
_kerberos-master | _udp | 0 | 100 | 88 | dc.example.com |
_kerberos-master | _tcp | 0 | 100 | 88 | dc.example.com |
If you cannot modify DNS settings, you can add these mappings in the Kerberos configuration.
For example:
[realms]
EXAMPLE.COM = {
kdc = dc.example.com
master_kdc = dc.example.com
}
If you still have problems getting Kerberos tickets, gather system logs. Also collect tcpdump or wireshark logs, if possible. Then, contact support.
Error message: Username not known to server
Error message: Couldn’t get Kerberos ticket. Try again, or contact your organization’s device admin. (Error code X).
Error message: Kerberos authentication failed.
To automatically add Kerberos tickets after sign in, users must sign in using their passwords not their PIN. This password must be the same as the one used to authenticate against the Active Directory server when adding a ticket. See Add a ticket.
If users want to continue to sign in using their PIN, they must create tickets manually.