lilongen/mac.chrome.access.hadoop.secure.webui

## mac.chrome.access.hadoop.secure.webui
1.a /etc/krb5.conf
1.b export KRB5_CONFIG=/etc/krb5.conf
2. kinit
3. "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --auth-server-whitelist="*" --auth-negotiate-delegate-whitelist="*"

Issue & solutions:
I_1: Kerberos kinit: Unknown credential cache type while getting default ccache
A: Just comment the attribute default_ccache_name
https://stackoverflow.com/questions/48836113/kerberos-kinit-unknown-credential-cache-type-while-getting-default-ccache


# reference
https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM#chrome


Within a Mac OS Terminal shell use the following command:
You will need to get an initial ticket granting ticket (TGT) from your Kerberos KDC (domain controller) in order to request service tickets for the IWA Adapter:
>kinit joe@ADEXAMPLE.PINGIDENTITY.COM
joe@ADEXAMPLE.PINGIDENTITY.COM's Password: (password here)

Now, cd into the Chrome directory and start Chrome with the AuthServerWhitelist parameter:
>cd /Applications/Google Chrome.app/Contents/MacOS
>./"Google Chrome" --auth-server-whitelist="*.adexample.pingidentity.com"

Note: There's a second policy that one may want to set, AuthNegotiateDelegateWhitelist, to point Chrome to a particular server to delegate credentials to.
Add this parameter to the above command by specifying --auth-negotiate-delegate-whitelist="*.adexample.pingidentity.com"
If this parameter is not set, Chrome will not delegate user credentials even if a server is detected as being on the Intranet.

Once configured, this setting will persist every time Chrome is launched.  You will still need to run kinit every 10 hours in order to allow Chrome to request service tickets for the IWA adapter.
	1.a /etc/krb5.conf
	1.b export KRB5_CONFIG=/etc/krb5.conf
	2. kinit
	3. "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --auth-server-whitelist="" --auth-negotiate-delegate-whitelist=""

	Issue & solutions:
	I_1: Kerberos kinit: Unknown credential cache type while getting default ccache
	A: Just comment the attribute default_ccache_name
	https://stackoverflow.com/questions/48836113/kerberos-kinit-unknown-credential-cache-type-while-getting-default-ccache


	# reference
	https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM#chrome


	Within a Mac OS Terminal shell use the following command:
	You will need to get an initial ticket granting ticket (TGT) from your Kerberos KDC (domain controller) in order to request service tickets for the IWA Adapter:
	>kinit joe@ADEXAMPLE.PINGIDENTITY.COM
	joe@ADEXAMPLE.PINGIDENTITY.COM's Password: (password here)

	Now, cd into the Chrome directory and start Chrome with the AuthServerWhitelist parameter:
	>cd /Applications/Google Chrome.app/Contents/MacOS
	>./"Google Chrome" --auth-server-whitelist="*.adexample.pingidentity.com"

	Note: There's a second policy that one may want to set, AuthNegotiateDelegateWhitelist, to point Chrome to a particular server to delegate credentials to.
	Add this parameter to the above command by specifying --auth-negotiate-delegate-whitelist="*.adexample.pingidentity.com"
	If this parameter is not set, Chrome will not delegate user credentials even if a server is detected as being on the Intranet.

	Once configured, this setting will persist every time Chrome is launched. You will still need to run kinit every 10 hours in order to allow Chrome to request service tickets for the IWA adapter.