To allow the Kerberos/NTLM transactions, the client browsers must trust the Auth Connector agent. The browser cannot present a cached credential unless the site (the Auth Connector hostname) exists in the local/trusted site zone. You can accomplish this with various methods.
Internet Explorer
- Navigate to Tools > Internet Options > Security
- Select Local Intranet
- Click on Sites
- Make sure that Automatically detect intranet network is checked or all of the options are selected.
- Click on Advanced
- Add the BCCA hostname to the Local Intranet. e.g http://bcca.BCCA_FQDN.com
- Click Close and OK
- Click on Custom Level
- You can select Automatic logon only in Intranet zone under User Authentication
- When the browser received the redirect authentication request, it will check the source of the requirement.
- If the domain or IP belong to Intranet, the browser will send the user name and password automatically.
- If not, the browser will pop up the user name and password input window, and waiting for customer manual input.
- You can also select Automatic logon with current user name and password under User Authentication
- When the browser received the redirect authentication request, it will send the user name and password silently.
- If the authentication result is pass, there is no more action, and the browser will go on the original action.
- If the authentication result is fail, the browser will pop up the authentication windows, and try until pass.
- Make sure that Enable Integrated Windows Authentication is checked under Internet Options > Advanced tab and in the Security section
Use group policy to configure browsers to add the Auth Connector hostname to their Local Intranet and Trusted Sites. See Group Policy Reference below
Chrome
- The latest version of Chrome, automatically detects Kerberos/NTLM authentication, make sure to also apply the changes listed above and these will also apply to the Google Chrome browser.
FireFox Browser
By default, Kerberos support in Firefox is disabled. To enable it, do the following:
- Open the browser configuration window
- Type about:config in the address bar.
- Then in the following parameters specify the addresses of the web servers, for which you are going to use Kerberos/NTLM authentication.
- Search for term: network.automatic
- Enable and set the following for NTLM:
- network.automatic-ntlm-auth.trusted-uris - value: e.g http://bcca-fqdn.com
- network.automatic-ntlm-auth.allow-non-fqdn - value: true
- Enable and set the following for Kerberos:
- network.negotiate-auth.delegation-uris - value: e.g http://bcca-fqdn.com
- network.negotiate-auth.trusted-uris - value: e.g http://bcca-fqdn.com
- network.negotiate-auth.allow-non-fqdn - value: true
Safari
Safari works out of the box if a Kerberos ticket was created during the Mac OS and Active Directory integration.
SPN Configuration
View SPN
setspn -L DOMAIN\bccaserviceADaccount
Set SPN
setspn -S http/BCCA_FQDN.com DOMAIN\bccaserviceADaccount
Verify Kerberos authentication tickets
You can make sure that your browser has passed Kerberos authentication on the server using Fiddler or klist tickets command.
See Working of SAML Authentication trace.
Group Policy reference: