Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Configuring Kerberos Authentication in Different Browsers

August 1, 2018 Active DirectoryWindows 10Windows 11

Configuring Kerberos Authentication in Different Browsers

In this article, we’ll look at how to configure Kerberos authentication for different browsers in a Windows domain to enable transparent and secure authentication on web servers without the need to re-enter a user’s password in a corporate network. Most modern browsers (IE, Chrome, Firefox) support Kerberos, however, you have to perform some extra steps to make it work.

To allow a browser to authenticate on a web server, the following conditions have to be fulfilled:

  1. Kerberos support must be enabled on the web server side (an example of Setting up Kerberos Authentication for IIS Website );
  2. A user must have access to the webserver;
  3. A user must be authenticated on his computer joined to the Active Directory using Kerberos (must have a valid TGT — Kerberos Ticket Granting Ticket).

For example, you want to allow Kerberos clients to authenticate using a browser on any web servers of the woshub.com domain (DNS or FQDN name must be used instead of the IP address of the web server).

Contents:
  • Enabling Kerberos Authentication in Internet Explorer
  • How to Enable Kerberos Authentication in Google Chrome
  • Configure Firefox to Authenticate using Kerberos

Enabling Kerberos Authentication in Internet Explorer

Let’s consider how to enable Kerberos authentication in Internet Explorer 11.

We remind that since January, 2016, the only officially supported Internet Explorer version is IE11.

Go to Internet Options -> Security -> Local intranet, and click Sites -> Advanced. Add the following entries to the zone:

  • https://*.woshub.com
  • http://*.woshub.com

local intranet zone for kerberos auth

You can add the sites to this zone using the Group Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment. Add an entry with the value 1 for each website. See the example in the article “How to disable Open File security warning on Windows for the files downloaded from the Internet”.

Then go to the Advanced tab and in the Security section, make sure that Enable Integrated Windows Authentication option is checked.

Enable Integrated Windows Authentication in Internet Explorer 11

Important. Make sure that websites, for which Kerberos authentication is enabled, are present only in the Local intranet zone. A Kerberos token for the websites included into Trusted sites zone is not sent to the corresponding web server.

How to Enable Kerberos Authentication in Google Chrome

To make SSO work in Google Chrome, configure Internet Explorer using the method described above (Chrome uses IE setting). In addition, it should be noted that all new versions of Chrome automatically detect Kerberos support on the website. If you are using one of the earlier Chrome (Chromium) versions, run it with the following parameters to make Kerberos authentication on your web servers work correctly:

--auth-server-whitelist="*.woshub.com"
--auth-negotiate-delegate-whitelist="*.woshub.com"

For example:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” --auth-server-whitelist="*.woshub.com " --auth-negotiate-delegate-whitelist="*.woshub.com"

You can configure these setting using GPO for Chrome (AuthServerWhitelist policy) or using the registry parameter AuthNegotiateDelegateWhitelist located in registry key HKLM\SOFTWARE\Policies\Google\Chrome (How to deploy a registry keys using GPO).

In order the changes to come into effect, restart your browser and reset Ketberos tickets using klist purge command (see the article).

Configure Firefox to Authenticate using Kerberos

By default, Kerberos support in Firefox is disabled. To enable it, open the browser configuration window (go to about:config in the address bar). Then in the following parameters specify the addresses of the web servers, for which you are going to use Kerberos authentication.

  1. network.negotiate-auth.trusted-uris
  2. network.automatic-ntlm-auth.trusted-uris

network.automatic-ntlm-auth.trusted-uris Kerberos in Firefox

For convenience you can disable the mandatory entering of the FQDN server address in Mozilla Firefox address bar by enabling network.negotiate-auth.allow-non-fqdn parameter.

You can make sure that your browser has passed Kerberos authentication on the server using Fiddler or klist tickets command.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Auto-Mount a VHD/VHDX File at Startup in Windows 10, 8.1
next post
Fixing High CPU Usage and Memory Leak Issue by Svchost.exe (wuauserv)

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Active Directory Dynamic User Groups with PowerShell
  • Restricting Group Policy with WMI Filtering
  • How to Check Who Reset the Password of a User in Active Directory
  • How To Monitor AD Group Changes Using PowerShell
  • How to Deploy SSL Certificate on a Computers Using GPO?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top