Reputation: 21106
Integrated Windows Auth (NTLM) on a Mac using Google Chrome or Safari
An IIS7 Intranet site with Windows Authentication enabled. When hit from Chrome on windows the pass-through authentication works fine (no User / Password prompt), however, Chrome on a Mac you get a prompt. Since the internal network uses CAC/PKI no one has a password.
I've tried toggling the Windows Authentication on the site to negotiate, but same user/pass prompt.
appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']
Anyone know a solution for Chrome on OS X?
EDIT
OS X 10.6.8
Centrify for Mac will be used to authenticate to the (Windows 2008 R2 ActiveDirectory) network via CAC.
EDIT 2
There is a proxy setup, but it gets bypassed for local intranet sites, so I don't think it is playing a role.
Also tried using the --auth-server-whitelist command line switch, didn't work.
EDIT 3
SOLUTION
open 'Google Chrome.app' --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"
Unfortunately Google Chrome for Mac has no way of specifying command line arguments on every load, so some sort of shell script will need to be made.
Running the following shell script at log in was the final solution to get around Chrome updates and extra doc icons.
#!/bin/bash
cd /Applications/Google\ Chrome.app/Contents/MacOS/
if [ -f 'Google Chrome.bin' ];
then
echo "Already Modified"
else
sudo chmod u+wr ./
sudo mv 'Google Chrome' 'Google Chrome.bin'
sudo echo "#!/bin/bash" > "Google Chrome"
sudo echo 'exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.bin --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"' >> "Google Chrome"
sudo chmod a+x 'Google Chrome'
echo "NTLM Will now work in chrome"
fi
Upvotes: 15
Views: 55475
Answers (6)
Reputation: 1
At this moment working solution is:
defaults write com.google.Chrome AuthServerAllowlist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthNegotiateDelegateAllowlist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"
And then u can check here chrome://policy/
Upvotes: 0
Reputation: 1032
Integrated Windows Auth (NTLM) on a Mac using Safari:
- Update krb5.conf
$ sudo nano /etc/krb5.conf
[logging]
default = /var/log/krb5libs.log
kdc = /var/log/krb5kdc.log
admin_server = /var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_realm = MY.DOMAIN
udp_preference_limit = 1
[realms]
[domain_realm]
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- Run kinit command
$ kinit -V myuser
[email protected]'s password:
Placing tickets for '[email protected]' in cache 'API:redacted'
- Access website via Safari
Note: This used to work with chrome using the following commands but has recently stopped working - so now use Safari:
defaults write com.google.Chrome AuthServerWhitelist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"
Upvotes: 0
Reputation: 81
It seems we can do the following configuration in Terminal,
$ defaults write com.google.Chrome AuthServerWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"
Upvotes: 5
Reputation: 102
defaults write com.google.Chrome AuthServerWhitelist '<your domain>' will permanently allow kerberos to a server or set of servers (*.mydomain.local).
Upvotes: 1
Reputation: 9504
This isn't a bug at the moment. The Mac version of Chrome simply does not support/respect Kerberos policies ("Negotiate" Windows Authentication) unless the domain white-listed and the browser fired from the command line. See this link posted 10/31/2011:
http://code.google.com/p/chromium/issues/detail?id=102339
It looks like you might be able to permanently white-list a domain though:
http://www.google.com/support/forum/p/Chrome/thread?tid=592eb87350d9d528&hl=en
Since you have already tried the white-list switch, I looked closer and it is an OSX thing... 10.7 is necessary for the switch to work properly with Chrome. Your 10.6 version won't work without a third party tool like Centrify.
Not a happy answer, but the truth.
Upvotes: 5
Reputation: 1242
What version of Chrome? This was an active bug, make sure you've got the latest version. It should work...
http://code.google.com/p/chromium/issues/detail?id=19
Upvotes: 0
Related Questions
- Windows Kerberos Authentication for Google Chrome and Edge
- Windows authentication for Mac browsers
- Windows Authentication in other applications (like Google-chrome)
- NTLM authentication over HTTP
- Windows Authentication is not working in Chrome
- How can I allow NTLM pass-thru in a Chrome App?
- MVC 3/4 intranet application automatic / slient authentication with Chrome
- Safari problems accessing Windows Integrated Authentication (aka NTLM) protected web site
- Chrome bypass Windows Authentication for MVC 4 web application
- MVC app with windows authentication with Chrome