Touchstone@MIT

Browser Configuration for Kerberos Tickets

You can use your existing Kerberos tickets to authenticate to the MIT Touchstone login server (idp.mit.edu) via the Simple and Protected GSS-API Negotiation Mechanism ("SPNEGO") protocol over HTTP.

By default, Firefox (1.5+) and Internet Explorer (6+) are configured not to perform negotiation with a server unless it is trusted; Safari on Mac OS X 10.4 requires no additional configuration for the login server.

To authenticate with Kerberos tickets:

  1. your browser must support the HTTP Negotiate mechanism (FF1.5+, Safari and IE6+ do)
  2. you must have a valid Kerberos ticket for the ATHENA.MIT.EDU realm (more info here)
  3. you must configure the browser to enable negotiation with the Touchstone server (see instructions below)

In Firefox:

NOTE: Athena machines running version 9.4.41 or higher already have this configuration in place.

  1. In the address field, type about:config, and press Return
  2. Start typing "network.neg..." in the Filter field to narrow the list and find network.negotiate-auth.trusted-uris
  3. Double-click network.negotiate-auth.trusted-uris
  4. In the dialog box text field, enter the URI: https://idp.mit.edu
  5. Click OK
  6. This sets Touchstone as a trusted URI for authentication
  7. Your browser should now be configured, please try to access a Touchstone-enabled site or test your settings here

In Internet Explorer:

You must add the MIT Touchstone server (idp.mit.edu) to the "Local intranet security zone"; otherwise, when the login server initiates negotiation, IE will prompt for a username/password by default. This is true even for a WIN.MIT.EDU client machine, because it and the login server are in different domains (realms).

NOTE: If you do not add Touchstone to the security zone, IE will display a username/password dialog when you attempt to authenticate with Kerberos tickets. Do not enter your username or password in this dialog. Click "Cancel" to dismiss it and let IE proceed to the Touchstone login page.

To add Touchstone to the security zone, perform the following steps:

  1. From the Tools menu select -> Internet Options
  2. Click on the Security tab
  3. Select the "Local intranet" icon
  4. Click the "Sites..." button below at right
  5. Click the "Advanced..." button
  6. Add the Touchstone server URI: https://idp.mit.edu to the zone
  7. Click Close or OK in each dialog window
  8. This sets Touchstone as a trusted URI for authentication within your intranet zone
  9. Your browser should now be configured, please try to access a Touchstone-enabled site or test your settings here

Other browsers

Safari does not require additional configuration by the user