Configuring SPNEGO on the Client
An administrator or user can configure SPNEGO on the client (web browser or client tools, such as curl). To configure SPNEGO on the client, a Kerberos Ticket Granting Ticket must exist for the user accessing the web server. The Kerberos Ticket Granting Ticket generated on the client side is used by the web client to get a service ticket from the KDC. This service ticket is used to generate a SPNEGO token, which is presented to the web server for authentication.
The client should use the same web server hostname (as configured in the server-side
principal) to access the Drill Web Console. If the server hostname differs, SPNEGO
authentication will fail. For example, if the server principal is
"HTTP/example.QA.LAB@QA.LAB"
, the client should use
http://example.QA.LAB:8047
as the Drill Web Console URL.
The following sections provide instructions for configuring the supported client-side browsers:
Firefox
Chrome
--auth-server-whitelist
parameter to the
google-chrome
command. For example, to run Chrome from a Linux prompt,
run the google-chrome
command, as shown:
google-chrome --auth-server-whitelist = "hostname/domain"
Example: google-chrome --auth-server-whitelist = "example.QA.LAB"
Safari
No configuration is required for Safari. Safari automatically authenticates using SPNEGO when requested by the server.
Internet Explorer
- Go to Tools > Options > Security > Local Intranet > Sites, and select all options.
- Select Advanced, and add one or both of the following URLs to server:
- http://
- https:// NOTEMake sure you use the hostname of the Drillbit in the URL.
- Close the Advanced tab, and click OK.
- Go to Tools > Options > Advanced > Security (in the checkbox list), and enable the Integrated Windows Authentication option.
- Click OK.
- Close and reopen IE. You can browse to your Spengo protected resource.
REST API
You can use CURL commands to authenticate using SPNEGO and access secure web resources over REST.
curl
command to log in using SPNEGO, and save the
authenticated session cookie to a file, such as cookie.txt
, as
shown:curl -v --negotiate -c cookie.txt -u : http://<hostname>:8047/spnegoLogin
cookie.txt
, to access the Drill Web Console pages, as shown in the
following
example:curl -v --negotiate -b cookie.txt -u : http://<hostname>:8047/query
Example: curl -v --negotiate -b cookie.txt -u : http://example.QA.LAB:8047/query