Use Kerberos or Windows-Integrated authentication

Some companies route all internet traffic through a proxy server that asks each application to sign in with the same Windows account you use to log in to your computer. Franz can do this, but only when you tell it which servers it is allowed to send your Windows sign-in to.

This is the same kind of setting that web browsers and Microsoft Outlook use for company intranets. It is opt-in for safety reasons — Franz should never volunteer your Windows credentials to a random server on the public internet.

Add the launch flags

You add the allowlist as a launch flag on the Franz shortcut. Once added, every time you start Franz it uses those flags automatically.

Windows:

1. Right-click the Franz shortcut on your Desktop or Start menu.
2. Choose Properties.
3. In the Target field, add a space at the end and paste: --auth-server-allowlist=*.example.com --auth-negotiate-delegate-allowlist=*.example.com
4. Replace *.example.com with the domain (or comma-separated list of domains) provided by your IT team.
5. Click OK and restart Franz.

macOS:

1. Open a Terminal window.
2. Launch Franz with the flags appended: /Applications/Franz.app/Contents/MacOS/Franz --auth-server-allowlist=*.example.com --auth-negotiate-delegate-allowlist=*.example.com
3. To make this permanent, save it as a shell alias or as a custom launcher.

What to ask your IT team

You will need:

• The domain pattern your proxy uses, such as *.corp.example or a list of internal hostnames.
• Confirmation that your account is allowed to use single sign-on through that proxy. If you already open internal websites in your browser without typing a password, you are most likely ready.

If your proxy uses a username and password instead of single sign-on, Franz still asks you for those credentials in a sign-in dialog when needed — no launch flag is required.