Kerberos Extension (app-sso) not available for Browsers on Big Sur

dpv13
New Contributor II

Hello everyone,

I do love Apple Kerberos Extension. Unfortunately, I do have an issue with macOS 11 Big Sur as I can only access SSO through Safari, not Chrome or Edge Chromium. We do have some internal Apps that don't get along with Safari... (at this time people under Big Sur can't schedule their vacations!) ;-)

I found a blog where they solved the issue by tearing off the sandbox for the other browsers: I won't do that.

Does anyone have the same issue? Any idea on how to get rid of it?

Truly,
DP

7 REPLIES 7

cbrewer
Valued Contributor II

Known issue in Chrome. It's reportedly already fixed in Chrome 89 early builds and will hopefully be fixed in the release version of Chrome 88.

spotmac
New Contributor III

@dannypierre.villeneuve do you tried this?
defaults write com.google.Chrome AuthServerWhitelist .example.com
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist
.example.com

ronhunter212
New Contributor III
looks like that may be depreciated and only AuthSchemes maybe be working
 
Platform
Machine
Recommended
Deprecated
 
Platform
Machine
Recommended
OK
 
Platform
Machine
Recommended
Deprecated
 

user-BQxTPslGSS
New Contributor
Hello everyone, I do love Apple Kerberos Extension. Unfortunately, I do have an issue with macOS 11 Big Sur as I can only access SSO through Safari, not Chrome or Edge Chromium. We do have some internal Apps that don't get along with Safari... (at this time people under Big Sur can't schedule their vacations!) ;-) I found a blog where they solved the issue by tearing off the sandbox for the other browsers: I won't do that Upsers. Does anyone have the same issue? Any idea on how to get rid of it? Truly, DP

That error is not a problem. It means that there is not previously saved data. Be aware that the bundle id ACL is case sensitive and it is used the first time a credential is received until it expires. This could impact your tests depending on the order. I suggest trying without the acl until you get it working. The CFNetwork stack is supported for SSO. Does your app download the data separately from the WKWebView? or does it load the URL directly in it?

jianwei
New Contributor

I assigned the SSO extension to Big Sur, but when visiting the Intranet site via Safari, I was prompted for AD credentials,
Windows PCs don't have this problem. What's on Safari?

dpv13
New Contributor II

@spotmac Hello.
Yes, I have it in place, but I find it unreliable. In fact, it only works reliably with Safari...

Workaround that is working great with Edge Chromium:
Quit Browsers;
Restart;
Open Safari;
Connect to a page that requires SSO;
If it works, open Edge Chromium and connect to SSO pages.

dpv13
New Contributor II

So...

If you're still interested in that topic.

Expired kerberos tickets are not purged and browsers other than Safari continue to use the expired one, so it doesn't work.

Simple task to do in Terminal, you can even create a nice Self Service action from it:

kdestroy -a