Access Keys:
Skip to content (Access Key - 0)
Change the Parent Page to a Known Page
You cannot move this page to another space because you do not have permission to remove it from this space.
Start typing a page title to see a list of suggestions.
{5}
 ()
Remove restriction

Using Touchstone with Kerberos Tickets (via SPNEGO)

The instructions below are for advanced users. Typically [Touchstone] users find it easier to use one of the other supported authentication methods (certificate, username/password).

This article has a few pointers for using MIT Touchstone with Kerberos Tickets.

Overview

You can use your existing Kerberos tickets to authenticate to the MIT Touchstone login server (idp.mit.edu) via the Simple and Protected GSS-API Negotiation Mechanism ("SPNEGO") protocol over HTTP.

Prerequisites

Getting Kerberos Tickets

If you're on an Athena workstation or WIN.MIT.EDU client, you will normally acquire Kerberos
tickets at login and can skip this step.

You must be an administrator of your workstation and install software from the administrator account.

  1. Download and install MIT Kerberos for Windows (KfW) or Kerberos Extras for Mac from the MIT Kerberos Applications Software Grid.
  2. Acquire Kerberos Tickets:

Configuring Your Browser

Firefox

Debathena machines already have this configuration in place.

  1. Open Firefox
  2. In the address field, type about:config, and press Return
  3. In the Filter field, start typing "network.neg..." to narrow the list and find network.negotiate-auth.trusted-uris
  4. Double-click network.negotiate-auth.trusted-uris
  5. In the dialog box text field, enter the URI: https://idp.mit.edu
  6. Click OK to set Touchstone as a trusted URI for authentication
  7. On Windows machines using Kerberos for Windows, you will also need to set network.auth.use-sspi to "false", as follows
  8. Erase the previous text from the Filter field, start typing use-sspi in it, and find "network.auth.use-sspi"
  9. If the value of network.auth.use-sspi is "true", double-click it to toggle the value to "false"
    Result: Your browser should now be configured, please try to access a Touchstone-enabled site or test your settings here.

Internet Explorer, Microsoft Edge and Chrome on Windows

You must add the MIT Touchstone server (idp.mit.edu) to the "Local intranet security zone"; otherwise, when the login server initiates negotiation, IE will prompt for a username/password by default. This is true even for a WIN.MIT.EDU client machine, because it and the login server are in different domains (realms).

If you do not add Touchstone to the security zone, IE will display a username/password dialog when you attempt to authenticate with Kerberos tickets. Do not enter your username or password in this dialog. Click "Cancel" to dismiss it and let IE proceed to the Touchstone login page.

To add Touchstone to the security zone, perform the following steps:

  1. From the Tools menu select -> Internet Options
  2. Click on the Security tab
  3. Select the Local intranet icon
  4. Click the Sites... button below at right
  5. Click the Advanced... button
  6. Add the Touchstone server URI: https://idp.mit.edu to the zone
  7. Click Close or OK in each dialog window
    Result: This sets Touchstone as a trusted URI for authentication within your intranet zone. Your browser should now be configured, please try to access a Touchstone-enabled site or test your settings here.

Additional configuration required for non-domain machines

On a non-WIN.MIT.EDU domain machine, additional configuration is required so that KfW operates on the native ticket cache. This can be done (once) by doing one of the following:

To change the default to acquiring tickets in the native cache, do one of the following:

Chrome on MacOS

  1. Open a Terminal window
  2. Enter the command: defaults write com.google.Chrome AuthServerWhitelist idp.mit.edu

Chrome on Linux

Run the following command at your command line:

Safari

Does not require additional configuration once you install MIT Kerberos Extras (see above).

See Also

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

June 15, 2023

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-touchstone c-touchstone Delete
spnego spnego Delete
kerberos kerberos Delete
tickets tickets Delete
touchstone touchstone Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Send Feedback
'; } $('label2').style.display = 'none'; $('helpful').style.display = 'none'; $('inaccurate').style.display = 'none'; $('obsolete').style.display = 'none'; $('thanks2').style.display = 'block'; } if (!(buttonid == 'inaccurate' || buttonid == 'obsolete')) { xmlhttp = new XMLHttpRequest(); var url = "/cgi-bin/feedback.pl?feedback=" + buttonid; xmlhttp.open("GET", url, true); xmlhttp.onreadystatechange = processResults; xmlhttp.send(); } }
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki
-