Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Configuring Kerberos Authentication in Different Browsers

August 1, 2018 Active DirectoryMisc

Configuring Kerberos Authentication in Different Browsers

In this article, we’ll look at how to configure Kerberos authentication for different browsers in a Windows domain to enable transparent and secure authentication on web servers without the need to re-enter a user’s password in a corporate network. Most modern browsers (IE, Chrome, Firefox) support Kerberos, however, you have to perform some extra steps to make it work.

To allow a browser to authenticate on a web server, the following conditions have to be fulfilled:

  1. Kerberos support must be enabled on the web server side (an example of Setting up Kerberos Authentication for IIS Website );
  2. A user must have access to the webserver;
  3. A user must be authenticated on his computer joined to the Active Directory using Kerberos (must have a valid TGT — Kerberos Ticket Granting Ticket).

For example, you want to allow Kerberos clients to authenticate using a browser on any web servers of the woshub.com domain (DNS or FQDN name must be used instead of the IP address of the web server).

Contents:
  • Enabling Kerberos Authentication in Internet Explorer
  • How to Enable Kerberos Authentication in Google Chrome
  • Configure Firefox to Authenticate using Kerberos

Enabling Kerberos Authentication in Internet Explorer

Let’s consider how to enable Kerberos authentication in Internet Explorer 11.

We remind that since January, 2016, the only officially supported Internet Explorer version is IE11.

Go to Internet Options -> Security -> Local intranet, and click Sites -> Advanced. Add the following entries to the zone:

  • https://*.woshub.com
  • http://*.woshub.com

local intranet zone for kerberos auth

You can add the sites to this zone using the Group Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment. Add an entry with the value 1 for each website. See the example in the article “How to disable Open File security warning on Windows for the files downloaded from the Internet”.

Then go to the Advanced tab and in the Security section, make sure that Enable Integrated Windows Authentication option is checked.

Enable Integrated Windows Authentication in Internet Explorer 11

Important. Make sure that websites, for which Kerberos authentication is enabled, are present only in the Local intranet zone. A Kerberos token for the websites included into Trusted sites zone is not sent to the corresponding web server.

How to Enable Kerberos Authentication in Google Chrome

To make SSO work in Google Chrome, configure Internet Explorer using the method described above (Chrome uses IE setting). In addition, it should be noted that all new versions of Chrome automatically detect Kerberos support on the website. If you are using one of the earlier Chrome (Chromium) versions, run it with the following parameters to make Kerberos authentication on your web servers work correctly:

--auth-server-whitelist="*.woshub.com"
--auth-negotiate-delegate-whitelist="*.woshub.com"

For example:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” --auth-server-whitelist="*.woshub.com " --auth-negotiate-delegate-whitelist="*.woshub.com"

You can configure these setting using GPO for Chrome (AuthServerWhitelist policy) or using the registry parameter AuthNegotiateDelegateWhitelist located in registry key HKLM\SOFTWARE\Policies\Google\Chrome (How to deploy a registry keys using GPO).

In order the changes to come into effect, restart your browser and reset Ketberos tickets using klist purge command (see the article).

Configure Firefox to Authenticate using Kerberos

By default, Kerberos support in Firefox is disabled. To enable it, open the browser configuration window (go to about:config in the address bar). Then in the following parameters specify the addresses of the web servers, for which you are going to use Kerberos authentication.

  1. network.negotiate-auth.trusted-uris
  2. network.automatic-ntlm-auth.trusted-uris

network.automatic-ntlm-auth.trusted-uris Kerberos in Firefox

For convenience you can disable the mandatory entering of the FQDN server address in Mozilla Firefox address bar by enabling network.negotiate-auth.allow-non-fqdn parameter.

You can make sure that your browser has passed Kerberos authentication on the server using Fiddler or klist tickets command.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
HP Printer Prints Only One Copy of Document
next post
Fixing High CPU Usage and Memory Leak Issue by Svchost.exe (wuauserv)

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Deploying Software (MSI Packages) Using Group Policy

May 12, 2022

How to Reset an Active Directory User Password...

April 27, 2022

Install Active Directory Users and Computers (ADUC) Snap-in...

April 18, 2022

How to Allow or Deny Workstation Logons for...

April 6, 2022

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Disable NTLM Authentication in Windows Domain?
  • Restricting Group Policy with WMI Filtering
  • Active Directory Dynamic User Groups with PowerShell
  • New-ADUser: Bulk Creating AD Users Using PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top