segunda-feira, 9 de março de 2015

Configuring Chrome and Firefox for Windows Integrated Authentication


Windows Integrated Authentication allows a users' Active Directory credentials to pass through their browser to a web server. Windows Integrated Authentication is enabled by default for Internet Explorer but not Google Chrome or Mozilla Firefox. Users who use the non-Microsoft browsers will receive a pop-up box to enter their Active Directory credentials before continuing to the website. This adds additional steps and complexity for users who are using web based applications. In an effort to make this process as easy as possible for end-users, many IT administrators enable Windows Integrated Authentication for the third party browsers. This can be done with Chrome and Firefox with a few additional steps. This article will show you how to enable Windows Integrated Authentication for Google Chrome and Mozilla Firefox.
 
Configuring Delegated Security for Mozilla Firefox
To configure Firefox to use Windows Integrated Authentication:
1. Open Firefox.
2. In the address bar type about:config
 
3. You will receive a security warning. To continue, click I’ll be careful, I promise
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi18j1s45cfg3jVI-DWfoLDWyDtHoLC1t_4YRGDoJff7dFtooU4t8EAo0hnZIkd8hdF3BWq0721lNoCt_-7d52b2iu4dfvHZ34qxm6N9OTymPpDZo0bUMD-lLNLP20DhUzpNWaM8YVFclQ/s1600/2014-06-09+1.jpg
4. You will see a list of preferences listed. Find the settings below by browsing through the list or searching for them in the search box. Once you have located each setting, update the value to the following:   
 
Setting
Value **
network.negotiate-auth.delegation-uris
MyIISServer.domain.com
network.automatic-ntlm-auth.trusted-uris
MyIISServer.domain.com
network.automatic-ntlm-auth.allow-proxies
True
network.negotiate-auth.allow-proxies
True
 
** MyIISServer.domain.com should be the fully qualified name of your IIS server that you are setting up the Windows Integrated Authentication too.
Negotiate authentication is not supported in versions of Firefox prior to 2006.
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ2n25mcs04iILsbc_mOzXKYbhzpPMDE53K2nepdmAVAIIlzZ7X04so7oJh7X_wKPxx181-ob-Gi3g_X4yv8thaqD178PEmmqrAW0QngOrPrfpeNQM6ume1ITMQJQtEGkJexLxO9gkEBE/s1600/2014-06-09+2.jpg
 
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjko_TPJsq_woXli-MvZPduL7hEwL-7Sae0yzITaY_IUjqHMz29cNqCiPoVi5CiSGzh3GSiAd7VhNgPjua5a3j0qM_wJG3i3i8l42LfVCCwrb8S1bZf5keklQ8TDjXhlgPmHPm8Gq1mcqc/s1600/2014-06-09+3.jpg
 
Configuring Delegated Security in Google Chrome
You can use three methods to enable Chrome to use Windows Integrated Authentication.Your options are the command line, editing the registry, or using ADMX templates through group policy. If you choose to use the command line or edit the registry, you could use Group Policy Preferences to distribute those changes on a broader scale. Below are the steps for the three methods:
 
To use the command line to configure Google Chrome:
Start Chrome with the following command:
 
Chrome.exe --auth-server-whitelist="MYIISSERVER.DOMAIN.COM" --auth-negotiate-delegatewhitelist="MYIISSERVER.DOMAIN.COM" --auth-schemes="digest,ntlm,negotiate"
 
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRf-i7wJ0i2Cj9BRc_DX1q4w6Skm4JepzCqrsY3vrSE_QmAaxPgpjAQ7M9DET4Ert5J3sYXitia_MROLuz27Ll10rO_2wGkNswvW4kQ5v2tVjplVBK1IiQXTLyUGsGXW_PnjUJzCMOvAI/s1600/2014-06-09+4.jpg
 
To modify the registry to configure Google Chrome:
Configure the following registry settings with the corresponding values:
Registry                               
AuthSchemes                           
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthSchemes
Mac/Linux preference name: AuthSchemes
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.
Value: "basic,digest,ntlm,negotiate"
 
AuthServerWhitelist                  
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthServerWhitelist
Mac/Linux preference name: AuthServerWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.
Value: "MYIISSERVER.DOMAIN.COM"
 
AuthNegotiateDelegateWhitelist 
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist
Mac/Linux preference name: AuthNegotiateDelegateWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet.
Example Value: ”MYIISSERVER.DOMAIN.COM”
 
To use ADM/ADMX templates through Group Policy to configure Google Chrome:
1.       Download Zip file of ADM/ADMX templates and documentation from: http://www.chromium.org/administrators/policy-templates.
 
2.       Add the ADMX template to your central store, if you are using a central store. For more information see the Specops Password Reset Administration Guide.
 
3. Configure a GPO with your application server DNS host name with Kerberos Delegation Server Whitelist and Authentication Server Whitelist enabled.
 
Each of these three methods achieve the same results for configuring Google Chrome for Windows Integrated Authentication. The method that is best for you will depend on how your organization is set up.  Personally, I would use the command line or the registry if you are deploying across an enterprise. You can easily distribute a shortcut on the user’s desktop with the command and distribute that with Group Policy preferences. If you choose to use the registry method, that is able to be distributed with Group Policy. 
 
With a variety of third-party browsers available, many users will receive a pop-up box to enter their Active Directory credentials before continuing to an IIS hosted web application. This leads to additional steps, complexity and confusion for many end-users. By setting up Windows Integrated Authentication into Chrome and Firefox, you will be able to give your users the greatest amount of flexibility for their choice of browser as well as ease of use with your web-based applications.   
 
 
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI5p13BMqclQpmvtkSN8YTzsOZZVNCvhPMjdkN0aIkVb9EfshAalWgC8RmVmIlJUHUFds-1wfCOJRarbPDHYMF0OJ_8O4FZMyTkq2XBtSseQqF88USz6BvoKOy1sxrN2OhmIw_3YVK0cs/s1600/Heather+Pacan+new+headshot.jpg

Heather Pacan, Product Specialist
 
Postado por às
Marcadores: , , ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)