search cancel

Configure Kerberos Authentication in different browsers

book

Article ID: 174437

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users get prompted for authentication when using the Symantec Auth Connector as the SAML IdP with Chrome and Firefox browsers. As an administrator, I would like seamless authentication (without the need to re-enter a user’s password) in a corporate network.

Cause

The browsers need to be configured to use Kerberos or NTLM authentication

Environment

  • Web Security Service
  • Auth Connector as IdP

Resolution

To allow the Kerberos/NTLM transactions, the client browsers must trust the Auth Connector agent. The browser cannot present a cached credential unless the site (the Auth Connector hostname) exists in the local/trusted site zone. You can accomplish this with various methods.

Internet Explorer

  1. Navigate to Tools > Internet OptionsSecurity
  2. Select Local Intranet
  3. Click on Sites
  4. Make sure that Automatically detect intranet network is checked or all of the options are selected.
  5. Click on Advanced
  6. Add the BCCA hostname to the Local Intranet. e.g http://bcca.BCCA_FQDN.com
  7. Click Close and OK
  8. Click on Custom Level
  9. You can select Automatic logon only in Intranet zone under User Authentication
    • When the browser received the redirect authentication request, it will check the source of the requirement.
    • If the domain or IP belong to Intranet, the browser will send the user name and password automatically.
    • If not, the browser will pop up the user name and password input window, and waiting for customer manual input.
  10. You can also select Automatic logon with current user name and password under User Authentication
    • When the browser received the redirect authentication request, it will send the user name and password silently.
    • If the authentication result is pass, there is no more action, and the browser will go on the original action.
    • If the authentication result is fail, the browser will pop up the authentication windows, and try until pass.
  11. Make sure that Enable Integrated Windows Authentication is checked under Internet Options > Advanced tab and in the Security section

Use group policy to configure browsers to add the Auth Connector hostname to their Local Intranet and Trusted Sites. See Group Policy Reference below

Chrome

  1. The latest version of Chrome, automatically detects Kerberos/NTLM authentication, make sure to also apply the changes listed above and these will also apply to the Google Chrome browser.

FireFox Browser

By default, Kerberos support in Firefox is disabled. To enable it, do the following:

  1. Open the browser configuration window
  2. Type about:config in the address bar.
  3. Then in the following parameters specify the addresses of the web servers, for which you are going to use Kerberos/NTLM authentication.
    • Search for term: network.automatic
    • Enable and set the following for NTLM:
      • network.automatic-ntlm-auth.trusted-uris - value: e.g http://bcca-fqdn.com
      • network.automatic-ntlm-auth.allow-non-fqdn - value: true
    • Enable and set the following for Kerberos:
      • network.negotiate-auth.delegation-uris - value: e.g http://bcca-fqdn.com
      • network.negotiate-auth.trusted-uris - value: e.g http://bcca-fqdn.com
      • network.negotiate-auth.allow-non-fqdn - value: true

Safari

Safari works out of the box if a Kerberos ticket was created during the Mac OS and Active Directory integration.

SPN Configuration

View SPN

setspn -L DOMAIN\bccaserviceADaccount

Set SPN

setspn -S http/BCCA_FQDN.com DOMAIN\bccaserviceADaccount

Verify Kerberos authentication tickets

You can make sure that your browser has passed Kerberos authentication on the server using Fiddler or klist tickets command.

See Working of SAML Authentication trace.

Group Policy reference: