Hi,
Are the Catalog Server and client machine in different subnets?
I am asking this because I found something related in the past which referred to the following scenario:
////
Catalog Server and client machine are in 2 different subnets
Symptoms: Chrome doesnt let the domain user login using NTLM. You constantly see an error page from Catalog
My Observations
- NTLM across subnets require an explicit 'AuthServerWhitelist' setting which is an registry entry needed a
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AuthServerWhitelist - NOTE: AuthServerWhitelist - Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.
- Set the value of this entry to *
- Close Chrome
- Open Chrome
- Browse to catalog URL and most likely NTLM SSO should get through
Example:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthSchemes"="basic,digest,ntlm,negotiate"
"AuthServerWhitelist"="*"
////
Note that in regards of the "AuthSchemes" in registry key, there is also another document I found related that says:
////
NTLM SSO worked fine if IP address is used. With hostname, authentication was failing.
Reason:
We use a Negotiate protocol during NTLM and chrome has 2 options to perform negotiation. It could use NTLM or Kerberos.
Chrome will always use NTLM when IP address is used and this answers the puzzle of how NTLM works fine when using IP address (Refer:http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx)
Now, the challenge is to force chrome to use NTLM instead of KERBEROS. Here is how this could be done:
Set the registry entry that corresponds to Chrome HTTP auth policy setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthSchemes"="basic,digest,ntlm"
Here, I have explicitly omitted the scheme 'negotiate'. By default, in every client machine, this registry entry will not be even there, meaning all 4 schemes are used (Refer:http://dev.chromium.org/developers/design-documents/http-authentication)
By forcibly, asking chrome to not use 'Negotiate', it naturally falls back to NTLM and the SSO works now. !!!
////
Maybe that could help you?
Regards,
Roberto