Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / Configuring Kerberos Authentication in Different Browsers

August 1, 2018 Active DirectoryMisc

Configuring Kerberos Authentication in Different Browsers

In this article, we’ll look at how to configure Kerberos authentication for different browsers in a Windows domain to enable transparent and secure authentication on web servers without the need to re-enter a user’s password in a corporate network. Most modern browsers (IE, Chrome, Firefox) support Kerberos, however, you have to perform some extra steps to make it work.

To allow a browser to authenticate on a web server, the following conditions have to be fulfilled:

  1. Kerberos support must be enabled on the web server side (an example of Setting up Kerberos Authentication for IIS Website );
  2. A user must have access to the webserver;
  3. A user must be authenticated on his computer joined to the Active Directory using Kerberos (must have a valid TGT — Kerberos Ticket Granting Ticket).

For example, you want to allow Kerberos clients to authenticate using a browser on any web servers of the woshub.com domain (DNS or FQDN name must be used instead of the IP address of the web server).

Contents:
  • Enabling Kerberos Authentication in Internet Explorer
  • How to Enable Kerberos Authentication in Google Chrome
  • Configure Firefox to Authenticate using Kerberos

Enabling Kerberos Authentication in Internet Explorer

Let’s consider how to enable Kerberos authentication in Internet Explorer 11.

We remind that since January, 2016, the only officially supported Internet Explorer version is IE11.

Go to Internet Options -> Security -> Local intranet, and click Sites -> Advanced. Add the following entries to the zone:

  • https://*.woshub.com
  • http://*.woshub.com

local intranet zone for kerberos auth

You can add the sites to this zone using the Group Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment. Add an entry with the value 1 for each website. See the example in the article “How to disable Open File security warning on Windows for the files downloaded from the Internet”.

Then go to the Advanced tab and in the Security section, make sure that Enable Integrated Windows Authentication option is checked.

Enable Integrated Windows Authentication in Internet Explorer 11

Important. Make sure that websites, for which Kerberos authentication is enabled, are present only in the Local intranet zone. A Kerberos token for the websites included into Trusted sites zone is not sent to the corresponding web server.

How to Enable Kerberos Authentication in Google Chrome

To make SSO work in Google Chrome, configure Internet Explorer using the method described above (Chrome uses IE setting). In addition, it should be noted that all new versions of Chrome automatically detect Kerberos support on the website. If you are using one of the earlier Chrome (Chromium) versions, run it with the following parameters to make Kerberos authentication on your web servers work correctly:

--auth-server-whitelist="*.woshub.com"
--auth-negotiate-delegate-whitelist="*.woshub.com"

For example:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” --auth-server-whitelist="*.woshub.com " --auth-negotiate-delegate-whitelist="*.woshub.com"

You can configure these setting using GPO for Chrome (AuthServerWhitelist policy) or using the registry parameter AuthNegotiateDelegateWhitelist located in registry key HKLM\SOFTWARE\Policies\Google\Chrome (How to deploy a registry keys using GPO).

In order the changes to come into effect, restart your browser and reset Ketberos tickets using klist purge command (see the article).

Configure Firefox to Authenticate using Kerberos

By default, Kerberos support in Firefox is disabled. To enable it, open the browser configuration window (go to about:config in the address bar). Then in the following parameters specify the addresses of the web servers, for which you are going to use Kerberos authentication.

  1. network.negotiate-auth.trusted-uris
  2. network.automatic-ntlm-auth.trusted-uris

network.automatic-ntlm-auth.trusted-uris Kerberos in Firefox

For convenience you can disable the mandatory entering of the FQDN server address in Mozilla Firefox address bar by enabling network.negotiate-auth.allow-non-fqdn parameter.

You can make sure that your browser has passed Kerberos authentication on the server using Fiddler or klist tickets command.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Export (Backup) and Restore Device Drivers in Windows 10 and 8.1
next post
Fixing High CPU Usage and Memory Leak Issue by Svchost.exe (wuauserv)

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

Restoring Deleted Active Directory Objects/Users

December 21, 2020

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Restricting Group Policy with WMI Filtering
  • New-ADUser: Bulk Creating AD Users Using PowerShell
  • How to Convert SID to User/Group Name and User to SID?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top