CA Service Management

  • Private Community
Back to discussions
Expand all | Collapse all

Service Catalog NTLM incompatibility with Google Chrome

  • 1.  Service Catalog NTLM incompatibility with Google Chrome

    Posted Apr 25, 2015 03:50 PM

    Hi there,

     

    I just configured NTLM SSA for CA Service Catalog and I'm successfully able to automatically login with Internet Explorer and Mozilla Firefox, however I'm having an issue with Google Chrome with a response stating "ERR_INVALID_AUTH_CREDENTIALS". Has anyone experience this or a similar issue, and how did you go about resolving it?

     

    Thanks

    Mo



  • 2.  Re: Service Catalog NTLM incompatibility with Google Chrome
    Best Answer

    Broadcom Employee
    Posted Apr 27, 2015 09:32 AM

    Hi,

     

    Are the Catalog Server and client machine in different subnets?

     

    I am asking this because I found something related in the past which referred to the following scenario:

     

    ////

     

    Catalog Server and client machine are in 2 different subnets

    Symptoms: Chrome doesnt let the domain user login using NTLM. You constantly see an error page from Catalog

    My Observations

    1. NTLM across subnets require an explicit 'AuthServerWhitelist' setting which is an registry entry needed a
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AuthServerWhitelist
    2. NOTE: AuthServerWhitelist - Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.
    3. Set the value of this entry to *
    4. Close Chrome
    5. Open Chrome
    6. Browse to catalog URL and most likely NTLM SSO should get through

     

    Example:

     

    Windows Registry Editor Version 5.00

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]

    "AuthSchemes"="basic,digest,ntlm,negotiate"

    "AuthServerWhitelist"="*"

     

    ////

     

    Note that in regards of the "AuthSchemes" in registry key, there is also another document I found related that says:

     

    ////

     

    NTLM SSO worked fine if IP address is used. With hostname, authentication was failing.


    Reason:

    We use a Negotiate protocol during NTLM and chrome has 2 options to perform negotiation. It could use NTLM or Kerberos.

    Chrome will always use NTLM when IP address is used and this answers the puzzle of how NTLM works fine when using IP address (Refer:http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx)

     

    Now, the challenge is to force chrome to use NTLM instead of KERBEROS. Here is how this could be done:


    Set the registry entry that corresponds to Chrome HTTP auth policy setting:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
    "AuthSchemes"="basic,digest,ntlm"

     

     

    Here, I have explicitly omitted the scheme 'negotiate'. By default, in every client machine, this registry entry will not be even there, meaning all 4 schemes are used (Refer:http://dev.chromium.org/developers/design-documents/http-authentication)

     

    By forcibly, asking chrome to not use 'Negotiate', it naturally falls back to NTLM and the SSO works now. !!!


    ////


    Maybe that could help you?

     

    Regards,

    Roberto



  • 3.  Re: Service Catalog NTLM incompatibility with Google Chrome

    Posted May 08, 2015 02:01 AM

    Thank you so much Roberto!