Configuring browsers for Kerberos and NTLM
The PingFederate Integrated Windows Authentication (IWA) adapter uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) for Kerberos and NTLM authentication.
For IWA adapter system requirements, see the IWA documentation.
Read the following sections for instructions specific to the browsers you want to configure.
Configuring Apple Safari
Safari on Windows supports SPNEGO with no further configuration. SPNEGO supports Kerberos if the computer is domain-joined and logged in by a domain user, otherwise SPNEGO negotiates NTLM.
Safari on Mac OS X supports SPNEGO with Kerberos if Mac OS is joined to Active Directory (AD), otherwise SPNEGO negotiates NTLM.
For information on joining Mac OS to AD, see Integrate Active Directory.
Configuring Microsoft Edge
Before configuring Microsoft Edge for Kerberos and NTLM, determine whether you have the legacy or Chromium version.
- Legacy
-
To configure Microsoft Edge (Legacy), see Kerberos Adapter does not work for Edge Browsers in Windows 10 for SSO in the Ping Identity Knowledge Base.
- Chromium
-
To configure Microsoft Edge (Chromium), see Kerberos unconstrained double-hop authentication with Microsoft Edge (Chromium) in the Microsoft documentation.
Configuring Internet Explorer and Google Chrome on Windows for Kerberos and NTLM
Add sites to the trusted zone to enable the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).
About this task
By default, any IWA authentication request originating from an Internet host is not allowed. The default setting only allows clients to automatically provide credentials to hosts within the intranet zone. Sites are considered to be in the intranet zone if the connection was established using a Universal Naming Convention path (for example, \\pingsso), the site bypasses the proxy server, or host names don’t contain periods (for example, http://pingsso).
Most PingFederate single sign-on (SSO) connections use the fully qualified domain name, so they will not be categorized as being in the intranet zone. Configure the browser to trust the host by adding the PingFederate hostname to the trusted sites zone.
The default setting, Automatic logon with current user name and password, uses Kerberos if available and NTLM if not. The setting Prompt for user name and password only uses NTLM.
If Internet Explorer Enhanced Security Configuration is enabled, a login prompt overrides the automatic login behavior. This prompt allows Kerberos and NTLM functionality, however it does not use the cached credentials from the user login.
To configure Internet Explorer and Google Chrome to support SPNEGO:
Steps
-
From the Control Panel, go to Network and Internet → Internet Options → Security.
-
Click Trusted Sites, then click Custom Level.
-
Under User Authentication, selectAutomatic logon with current user name and password. Click OK.
-
On the Security tab, click Trusted Sites, then click Sites.
-
In the Add this website to the zone field, enter the PingFederate server’s hostname and click Add. Click Close.
You can include an asterisk in front of the domain suffix to trust any host name within the AD domain (for example,*.ADdomain.pingidentity.com).
Result
SPNEGO supports Kerberos if the computer is domain-joined and logged in with an AD user account.
SPNEGO negotiates NTLM on non-domain-joined computers. You are prompted for credentials, for which you would enter <ADdomain>\<username> and the password.
The NetBIOS domain name (<ADdomain> in the above example) must qualify the user name if:
|
You can add the PingFederate URL to the local intranet zone as an alternative to adding it to the trusted sites zone. Reasons for this vary based on the network design of the environment, but setting Automatic logon with current user name and password for the trusted sites zone implies that negotiate/authorization credentials might be sent in requests to sites outside of the intranet zone.
Configuring Google Chrome on Mac OS for Kerberos and NTLM
Authorize hosts for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) using the terminal.
About this task
SPNEGO works on Chrome without configuration, but only negotiates NTLM. To enable Kerberos, you must authorize host or domain names for SPNEGO protocol message exchanges. Do this from Terminal or by joining Mac OS to AD. For information on joining Mac OS to AD, see Integrate Active Directory. For iOS, only NTLM via SPNEGO has been tested. Kerberos has not been verified.
Configure AuthServerWhitelist
from the Terminal:
Steps
-
Within your Mac OS Terminal, run
kinit
to get an initial ticket-granting ticket from your Kerberos domain controller to request service tickets for the IWA adapter.>kinit <joe@ADdomain.com> joe@ADdomain.com's Password: <YourPassword>
-
Go to the Chrome directory and start Chrome with the
AuthServerWhitelist
parameter.>cd </Applications/Google Chrome.app/Contents/MacOS> >./"Google Chrome" --auth-server-whitelist="<*.addomain.com>"
Some services require delegation of the users identity. By default, Chrome does not allow this.
The
AuthNegotiateDelegateWhitelist
policy points Chrome to a server to delegate credentials. Add this parameter to the above command by specifying--auth-negotiate-delegate-whitelist="*.adexample.com"
.Result:
This setting persists every time Chrome is launched.
-
Run
kinit
every 10 hours for Chrome to request service tickets for the IWA adapter.
Configuring Mozilla Firefox for Kerberos and NTLM
Configure a list of trusted sites for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).
About this task
Firefox rejects all SPNEGO challenges from any web server by default. You must configure a whitelist of sites permitted to exchange SPNEGO messages with the browser.
Steps
-
In the Firefox address bar, enter
about:config
. Click I accept the risk! -
Search for the following preferences:
-
network.negotiate-auth.trusted-uris
-
network.automatic-ntlm-auth.trusted-uris
-
-
Double-click each of the preferences and enter any host or domain names in the Enter string value field, separated by commas. Click OK.
You can add a period in front of the domain suffix to trust any hostname within the domain (for example, .adexample.pingidentity.com).
Result
SPNEGO supports Kerberos if the computer is joined to Active Directory (AD) and logged on with a domain user account, otherwise SPNEGO negotiates NTLM.
Firefox on Mac OS supports both Kerberos and NTLM if the computer is joined to AD, otherwise only NTLM negotiates.