Configure Kerberos Authentication between the Web Browser and the Web Server

Kerberos configuration between the Web Browser and Web Server.

Having verified all Kerberos requirements, the next step is to configure Kerberos Authentication between the Web Browser and the Web Server:

Figure 1. Kerberos Authentication Flow: Showing UA and Web Server only.


Diagram of Kerberos authentication between web browser and web server

  1. Configure a Web Server to use Kerberos Authentication on a whole site or on a specific URL. For IIS server, see IIS Configuration
  2. Configure Web Browsers to enable Kerberos Authentication:
  3. With a Kerberos-enabled Web Browser, go on the Kerberos-configured Web site to retrieve a simple static HTML file that required Kerberos Authentication. Do not try to access a Genero application or GAS dispatcher yet, the goal at this stage is to keep this configuration step simple.

    If Kerberos is working, the Web Browser will retrieve the static HTML without asking any password. For Web Browsers outside of the Kerberos domain, access will be refused or a password will be asked for.

At this stage, you have verified the Kerberos environment prior to adding Genero Kerberos configuration details.

Note: Because we configured an SSO environment, the password should be asked only once: when the user logs on to the client machine. The password should not be asked for again by the Web Browser. If the Web Browser asks for a login/password, it generally means that Kerberos Authentication has failed, and the Web Server has fallen back on different Authentication schemes (NTML, digest, and so on).