I just configured NTLM SSA for CA Service Catalog and I'm successfully able to automatically login with Internet Explorer and Mozilla Firefox, however I'm having an issue with Google Chrome with a response stating "ERR_INVALID_AUTH_CREDENTIALS". Has anyone experience this or a similar issue, and how did you go about resolving it?
Are the Catalog Server and client machine in different subnets?
I am asking this because I found something related in the past which referred to the following scenario:
Catalog Server and client machine are in 2 different subnets
Symptoms: Chrome doesnt let the domain user login using NTLM. You constantly see an error page from Catalog
Windows Registry Editor Version 5.00
Note that in regards of the "AuthSchemes" in registry key, there is also another document I found related that says:
NTLM SSO worked fine if IP address is used. With hostname, authentication was failing.
We use a Negotiate protocol during NTLM and chrome has 2 options to perform negotiation. It could use NTLM or Kerberos.
Chrome will always use NTLM when IP address is used and this answers the puzzle of how NTLM works fine when using IP address (Refer:http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx)
Now, the challenge is to force chrome to use NTLM instead of KERBEROS. Here is how this could be done:
Set the registry entry that corresponds to Chrome HTTP auth policy setting:
Here, I have explicitly omitted the scheme 'negotiate'. By default, in every client machine, this registry entry will not be even there, meaning all 4 schemes are used (Refer:http://dev.chromium.org/developers/design-documents/http-authentication)
By forcibly, asking chrome to not use 'Negotiate', it naturally falls back to NTLM and the SSO works now. !!!
Maybe that could help you?
Thank you so much Roberto!