Configuring browsers for Kerberos and NTLM - PingFederate

Use Cases
bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

The PingFederate Integrated Windows Authentication (IWA) adapter uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) for Kerberos and NTLM authentication.

For IWA adapter system requirements, see the IWA documentation.

Click the following tabs to see instructions specific to the browsers you want to configure.

Configuring Apple Safari

Safari on Windows supports SPNEGO with no further configuration. SPNEGO supports Kerberos if the computer is domain-joined and logged in by a domain user, otherwise SPNEGO negotiates NTLM.

Safari on Mac OS X supports SPNEGO with Kerberos if Mac OS is joined to Active Directory (AD), otherwise SPNEGO negotiates NTLM.

For information on joining Mac OS to AD, see Integrate Active Directory.

Configuring Microsoft Edge

Before configuring Microsoft Edge for Kerberos and NTLM, determine whether you have the legacy or Chromium version.

Configuring Internet Explorer and Google Chrome on Windows for Kerberos and NTLM

Add sites to the trusted zone to enable the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).

By default, any IWA authentication request originating from an Internet host is not allowed. The default setting only allows clients to automatically provide credentials to hosts within the intranet zone. Sites are considered to be in the intranet zone if the connection was established using a Universal Naming Convention path (for example, \\pingsso), the site bypasses the proxy server, or host names don't contain periods (for example, http://pingsso).

Most PingFederate single sign-on (SSO) connections use the fully qualified domain name, so they will not be categorized as being in the intranet zone. Configure the browser to trust the host by adding the PingFederate hostname to the trusted sites zone.

The default setting, Automatic logon with current user name and password, uses Kerberos if available and NTLM if not. The setting Prompt for user name and password only uses NTLM.

If Internet Explorer Enhanced Security Configuration is enabled, a login prompt overrides the automatic login behavior. This prompt allows Kerberos and NTLM functionality, however it does not use the cached credentials from the user login.

To configure Internet Explorer and Google Chrome to support SPNEGO:

  1. From the Control Panel, go to Network and Internet > Internet Options > Security.
  2. Click Trusted Sites, then click Custom Level.
  3. Under User Authentication, select Automatic logon with current user name and password. Click OK.
  4. On the Security tab, click Trusted Sites, then click Sites.
  5. In the Add this website to the zone field, enter the PingFederate server's hostname and click Add. Click Close.
    Note: You can include an asterisk in front of the domain suffix to trust any host name within the AD domain (for example,*.ADdomain.pingidentity.com).

SPNEGO supports Kerberos if the computer is domain-joined and logged in with an AD user account.

SPNEGO negotiates NTLM on non-domain-joined computers. You are prompted for credentials, for which you would enter <ADdomain>\<username> and the password.

Note: The NetBIOS domain name (<ADdomain> in the above example) must qualify the user name if:
  • The computer is not joined to an AD domain, or
  • There are multiple AD domains or forests and you are authenticating over a cross-domain trust.

You can add the PingFederate URL to the local intranet zone as an alternative to adding it to the trusted sites zone. Reasons for this vary based on the network design of the environment, but setting Automatic logon with current user name and password for the trusted sites zone implies that negotiate/authorization credentials might be sent in requests to sites outside of the intranet zone.

Configuring Google Chrome on Mac OS for Kerberos and NTLM

Authorize hosts for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) using the terminal.

SPNEGO works on Chrome without configuration, but only negotiates NTLM. To enable Kerberos, you must authorize host or domain names for SPNEGO protocol message exchanges. Do this from Terminal or by joining Mac OS to AD. For information on joining Mac OS to AD, see Integrate Active Directory. For iOS, only NTLM via SPNEGO has been tested. Kerberos has not been verified.

Configure AuthServerWhitelist from the Terminal:

  1. Within your Mac OS Terminal, run kinit to get an initial ticket-granting ticket from your Kerberos domain controller to request service tickets for the IWA adapter. 
    >kinit <joe@ADdomain.com>
joe@ADdomain.com's Password: <YourPassword>
  2. Go to the Chrome directory and start Chrome with the AuthServerWhitelist parameter. 
    >cd </Applications/Google Chrome.app/Contents/MacOS>
>./"Google Chrome" --auth-server-whitelist="<*.addomain.com>"
    Note:

    Some services require delegation of the users identity. By default, Chrome does not allow this.

    The AuthNegotiateDelegateWhitelist policy points Chrome to a server to delegate credentials. Add this parameter to the above command by specifying --auth-negotiate-delegate-whitelist="*.adexample.com".

    This setting persists every time Chrome is launched.
  3. Run kinit every 10 hours for Chrome to request service tickets for the IWA adapter.

Configuring Mozilla Firefox for Kerberos and NTLM

Configure a list of trusted sites for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).

Firefox rejects all SPNEGO challenges from any web server by default. You must configure a whitelist of sites permitted to exchange SPNEGO messages with the browser.

  1. In the Firefox address bar, enter about:config. Click I accept the risk!
  2. Search for the following preferences:
    • network.negotiate-auth.trusted-uris
    • network.automatic-ntlm-auth.trusted-uris
  3. Double-click each of the preferences and enter any host or domain names in the Enter string value field, separated by commas. Click OK.
    Note: You can add a period in front of the domain suffix to trust any hostname within the domain (for example, .adexample.pingidentity.com).

SPNEGO supports Kerberos if the computer is joined to Active Directory (AD) and logged on with a domain user account, otherwise SPNEGO negotiates NTLM.

Firefox on Mac OS supports both Kerberos and NTLM if the computer is joined to AD, otherwise only NTLM negotiates.