How to change your WebLogin Advanced Settings

Also see: What is WebLogin?

An authentication mechanism called HTTP Negotiate is available for a limited set of browsers and operating systems. HTTP Negotiate enables supported browsers to access protected web sites using Kerberos credentials obtained from your computer login (e.g., Kerberos for Macintosh or kinit). If you are using a supported browser (correctly configured if necessary), you will be able to access most WebAuthed sites without having to re-enter your SUNet ID and password. (A few web-based services at Stanford, such as Web-AFS, always require that you enter your login information, even if you are already logged in through WebAuth.)

Note: this feature has been added for early adopters; it will not be widely available in all browsers for some time. You should be comfortable manually configuring your browser before you attempt to use HTTP Negotiate. If you are not, you should continue to use WebLogin as you are used to doing.

What browsers are supported?

Internet Explorer and Chrome (if the computer is connected to the Stanford Windows Infrastructure) and Firefox on Windows; Safari, Chrome, and Firefox on Mac OS X; and Firefox and Chrome on the UNIX platform. See the table below for details.

Browsers Works Works with Config Change

Windows

 Internet Explorer*   X
Firefox   X
Chrome*
X
X

Mac

 Safari (OS X 10.4 or higher) X  
Firefox   X

UNIX

 Firefox   X
Chrome
X
 
* Windows computers must be logged into the Stanford Windows Infrastructure (WIN.STANFORD.EDU).

How does this work?

If you elect to use this option, HTTP Negotiate will try to use a protocol called SPNEGO to exchange authentication information with your browser. If you are not already logged in to Kerberos on your local system, or if your browser is not supported, the system will not authenticate you and will prompt you again for your username and password. It is also possible that the browser will not load the new page at all or may pop up confusing dialog boxes. If you get an error message from your browser or a separate dialog box asking for your username and password, do not respond to that prompt. Instead, cancel, return to the previous page, and log in with your username and password.

If logging in using your computer login information works on your system, you will have the option of enabling it permanently for the particular web browser and computer. To do so, you will need to "enable" it by adding a cookie and, in some cases, configure your browser (see the table, above, of supported browsers).

How do I change my settings?

Internet Explorer

  1. From Internet Explorer's Tools menu, choose Internet Options.
  2. Click the Security tab.
  3. Click the icon for the Local Intranet zone.
  4. Click the Sites button and then the Advanced button.
  5. Enter https://*.stanford.edu and click Add.
  6. Click OK through the various open windows to close the Internet Options.

Firefox (all platforms)

  1. Configure Firefox:
    • In the address field type about:config and press ENTER or RETURN.
    • In the Preference Name column, scroll down and locate network.negotiate-auth.trusted-uris.
    • Double-click that preference, enter stanford.edu in the dialog box, and click OK.
    • For Windows Users Only: Locate the network.auth.use-sspi preference and double-click it to change the value to false.
    • Return to the "WebLogin Advanced Settings" web page.
  2. Log in using your SUNet ID and password with Network Identity Manager (for Windows users), Kerberos for Macintosh (for Mac users), or kinit (for UNIX users).
  3. Click Advanced settings.
  4. When the Advanced Settings page loads, click Test.
  5. If the test succeeds, click the Enable button. If it does not succeed, you have either configured your browser incorrectly or you do not have Kerberos credentials.
  6. Quit and Restart Firefox.
  7. Go to a protected Stanford site. If you have successfully configured your browser, you will go straight to the site. You can also use the Test link to verify your browser settings.
  8. If you should decide to disable HTTP Negotiate, return to the Advanced Settings page. Click Disable to turn the feature off. (Note: any time you delete your browser cookies you will need to re-enable the HTTP Negotiate feature.)

Safari

  1. Log in using your SUNetID and password with Kerberos for Macintosh.
  2. Click Advanced settings.
  3. When the Advanced Settings page loads, click Test.
  4. You should receive a message that your browser supports HTTP Negotiate. Click the Enable button to set the cookie in your browser.
  5. Quit and restart Safari.
  6. Go to a protected Stanford site. If you have successfully configured your browser, you will go straight to the site. Click the link to continue to the site you requested.
  7. If you should decide to disable HTTP Negotiate, return to the Advanced Settings page. Click Disable to turn the feature off. (Note: any time you delete your browser cookies, e.g., you decide to use the "Reset Safari" feature that clears your cache, history, and cookies, you will need to re-enable the HTTP Negotiate feature.)

Chrome

From the command line (UNIX) or terminal.app (Macintosh) start Chrome with this command line switch:

--auth-server-whitelist=weblogin.stanford.edu