Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Configuring Kerberos Authentication in Different Browsers

August 1, 2018 Active DirectoryMisc

Configuring Kerberos Authentication in Different Browsers

In this article, we’ll look at how to configure Kerberos authentication for different browsers in a Windows domain to enable transparent and secure authentication on web servers without the need to re-enter a user’s password in a corporate network. Most modern browsers (IE, Chrome, Firefox) support Kerberos, however, you have to perform some extra steps to make it work.

To allow a browser to authenticate on a web server, the following conditions have to be fulfilled:

  1. Kerberos support must be enabled on the web server side (an example of Setting up Kerberos Authentication for IIS Website );
  2. A user must have access to the webserver;
  3. A user must be authenticated on his computer joined to the Active Directory using Kerberos (must have a valid TGT — Kerberos Ticket Granting Ticket).

For example, you want to allow Kerberos clients to authenticate using a browser on any web servers of the woshub.com domain (DNS or FQDN name must be used instead of the IP address of the web server).

Contents:
  • Enabling Kerberos Authentication in Internet Explorer
  • How to Enable Kerberos Authentication in Google Chrome
  • Configure Firefox to Authenticate using Kerberos

Enabling Kerberos Authentication in Internet Explorer

Let’s consider how to enable Kerberos authentication in Internet Explorer 11.

We remind that since January, 2016, the only officially supported Internet Explorer version is IE11.

Go to Internet Options -> Security -> Local intranet, and click Sites -> Advanced. Add the following entries to the zone:

  • https://*.woshub.com
  • http://*.woshub.com

local intranet zone for kerberos auth

You can add the sites to this zone using the Group Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment. Add an entry with the value 1 for each website. See the example in the article “How to disable Open File security warning on Windows for the files downloaded from the Internet”.

Then go to the Advanced tab and in the Security section, make sure that Enable Integrated Windows Authentication option is checked.

Enable Integrated Windows Authentication in Internet Explorer 11

Important. Make sure that websites, for which Kerberos authentication is enabled, are present only in the Local intranet zone. A Kerberos token for the websites included into Trusted sites zone is not sent to the corresponding web server.

How to Enable Kerberos Authentication in Google Chrome

To make SSO work in Google Chrome, configure Internet Explorer using the method described above (Chrome uses IE setting). In addition, it should be noted that all new versions of Chrome automatically detect Kerberos support on the website. If you are using one of the earlier Chrome (Chromium) versions, run it with the following parameters to make Kerberos authentication on your web servers work correctly:

--auth-server-whitelist="*.woshub.com"
--auth-negotiate-delegate-whitelist="*.woshub.com"

For example:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” --auth-server-whitelist="*.woshub.com " --auth-negotiate-delegate-whitelist="*.woshub.com"

You can configure these setting using GPO for Chrome (AuthServerWhitelist policy) or using the registry parameter AuthNegotiateDelegateWhitelist located in registry key HKLM\SOFTWARE\Policies\Google\Chrome (How to deploy a registry keys using GPO).

In order the changes to come into effect, restart your browser and reset Ketberos tickets using klist purge command (see the article).

Configure Firefox to Authenticate using Kerberos

By default, Kerberos support in Firefox is disabled. To enable it, open the browser configuration window (go to about:config in the address bar). Then in the following parameters specify the addresses of the web servers, for which you are going to use Kerberos authentication.

  1. network.negotiate-auth.trusted-uris
  2. network.automatic-ntlm-auth.trusted-uris

network.automatic-ntlm-auth.trusted-uris Kerberos in Firefox

For convenience you can disable the mandatory entering of the FQDN server address in Mozilla Firefox address bar by enabling network.negotiate-auth.allow-non-fqdn parameter.

You can make sure that your browser has passed Kerberos authentication on the server using Fiddler or klist tickets command.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Auto-Mount a VHD/VHDX File at Startup in Windows 10, 8.1
next post
Fixing High CPU Usage and Memory Leak Issue by Svchost.exe (wuauserv)

Related Reading

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

Fix: The Requested Certificate Template is Not Supported...

January 9, 2023

How to Create a Scheduled Task Using GPO?

December 29, 2022

Configure Google Chrome Settings with Group Policy

December 20, 2022

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Disable NTLM Authentication in Windows Domain?
  • Active Directory Dynamic User Groups with PowerShell
  • Restricting Group Policy with WMI Filtering
  • LAPS: Manage Local Administrator Passwords on a Domain Computers
  • How to Add, Edit, Deploy and Import Registry Keys through GPO?
  • How to Check Who Reset the Password of a User in Active Directory
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top