Configuring browsers for Kerberos authentication - PingFederate - 11.1

PingFederate Server

bundle
pingfederate-111
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.1
category
Administrator
Audience
Capability
DeploymentMethod
Product
SingleSignonSSO
Software
SystemAdministrator
pf-111
pingfederate
ContentType_ce

You can configure browsers at your site to use the Kerberos Adapter to authenticate users.

The client-side configuration requires the base URL or an applicable virtual host name of your PingFederate environment. The base URL is defined on the System > Server > Protocol Settings > Federation Info tab. To see a list of defined virtual host names, if configured, go to System > Server > Virtual Host Names.

The following information explains how to configure the Microsoft Edge, Mozilla Firefox, and Google Chrome browsers.

Important:

If the browser is not properly configured, the user might be prompted to authenticate manually with their network credentials. Otherwise, authentication fails the single sign-on (SSO) to the service providers.

Configuring Microsoft Edge for Kerberos authentication

You can configure Microsoft Edge browsers for Kerberos authentication.

Because Edge doesn't honor intranet sites, the PingFederate Kerberos Adapter isn't allowed by default to request the Kerberos ticket for a user. To resolve this issue, there's a group policy object (GPO) that can send intranet site requests to Internet Explorer 11 instead of Edge. It lets you put PingFederate in the Intranet Sites Zone (not the Trusted Sites Zone) in Internet Explorer and enable Kerberos.

  1. In the Group Policy Management editor, go to User Configuration > Administrative Templates > Windows Components > Microsoft Edge and enable the Send All intranet sites to IE11 setting.
    Kerberos prerequisite.
  2. Go to Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.
  3. In the Show Contents dialog box's Value Name column enter the <PingFederate URL>.
  4. In the Value column enter 1.
    Enter 1.
  5. Go to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > SecurityPage > Intranet Zone.
  6. In the Logon Option dialog box's Logon options list, select Automatic logon with current username and password.
    automatic logon.

Configuring Mozilla Firefox for Kerberos authentication

You can configure Microsoft Firefox browsers for Kerberos authentication.

  1. Start Firefox.
  2. Open a new tab and enter about:config in the address bar.
  3. Double-click the network.negotiate-auth.trusted-uris preference name to modify its value to include the base URL of your PingFederate environment. For example, www.example.com.
  4. Click OK and close the about:config tab.

Configuring Google Chrome for Kerberos authentication

Google Chrome browsers support Kerberos authentication.

If you configure Microsoft Edge for Kerberos authentication, then you don't need to configure Google Chrome because Chrome uses the settings in Edge. For more information, see the Microsoft Edge tab on this topic.