google-chromemicrosoft-edgekerberosntlm

Can Windows Edge/Chrome/Firefox do Kerberos Negotiate (not NTLM)?


I am able to succesfully kinit + klist to verify a ticket on Mac + Windows. I even carried over my Kerberos configuration to "KerberosForWindows".

It does not seem that any browser on Windows can do Kerberos style Negotiate instead of Windows-style NTLM. Is that the case?

I've tried all of the Local Site / Intranet / Trusted Domain / browser config propagate domain for negotiation auth. I just want to confirm if Windows browsers can do GSSAPI-style Negotiate.

// Kerberos authentication middleware
async function kerberosAuth(req, res, next) {
  // Check for the Authorization header and extract the token
  const authHeader = req.headers['authorization'];
  if (!authHeader || !authHeader.startsWith('Negotiate ')) {
      res.setHeader('WWW-Authenticate', 'Negotiate');
      return res.status(401).send('Kerberos authentication required');
  }
  const token = authHeader.slice('Negotiate '.length);

  // Base64 decode the token
  const decodedToken = Buffer.from(token, 'base64');

  // Check if it's NTLM
  if (decodedToken.toString('hex').startsWith('4e544c4d')) {
    // always hit on Windows
    return res.status(500).send('NTLM is not supported. Please use Kerberos authentication.');
  } else {
    // only ever hit on Mac/Linux
  }

Solution

  • Kerberos over HTTP Negotiate is also very much "Windows-style", as the HTTP mechanism was invented by Microsoft and is defined to use MS-SPNEGO (thus the name 'Negotiate') rather than raw Kerberos tokens.

    All popular browsers support Kerberos via HTTP Negotiate on Windows, but the MIT "Kerberos for Windows" package (gssapi.dll) is only supported by Mozilla/Firefox/Thunderbird, whereas IE and Chrome/Edge support Kerberos only through the Windows built-in SSPI interface (which is also the default in Firefox).

    For that reason, I generally avoid installing KfW on workstations and configure Windows SSPI instead, as that gives GSSAPI support to a much longer list of software.

    1. (If the realm is not an AD domain) Mark the realm as "MIT realm" so that Windows won't expect its KDCs to answer Netlogon pings. Skip this for Active Directory realms.

      sudo ksetup /SetRealmFlags EXAMPLE.COM TcpSupported
      

      Actual flags are optional; the presence of the realm entry in itself is what indicates the realm type being non-AD.

    2. (If the realm is not an AD domain and someone was too lazy to add DNS SRV records) Manually define the KDC hostname.

      sudo ksetup /AddKdc EXAMPLE.COM foo.example.com
      

      Properly managed realms (both MIT and AD) should have _kerberos._udp.<domain> SRV records pointing at the KDCs and won't need this configuration. Note that the presence of this entry marks it as a MIT/non-AD realm, as above.

    3. (If the client uses a local account for Windows logon) Store the Kerberos credentials in the Windows Credential Manager:

      cmdkey /add:*.example.com /user:foo@EXAMPLE.COM /pass
      

      For non-domain logons, this is the closest thing SSPI has to correspond to kinit, and it will automatically acquire a TGT using stored credentials when a program tries to obtain a service ticket.

      If credentials for a TGT are not available, IE and Edge/Chrome will prompt for them using a Basic-style dialog, but Firefox doesn't support that (as that's generally not something GSSAPI applications do).

    Side note: Current Firefox versions have a bug where they're unable to use Kerberos via SSPI when DoH is enabled in-browser. Make sure to disable it in Firefox settings.