Symantec Access Management

Tech Tip : CA Single Sign-On : google chrome not working with windows authentication

  • 1.  Tech Tip : CA Single Sign-On : google chrome not working with windows authentication

    Posted 09-26-2018 05:55 AM

    Question:


    How should we configure Google Chrome in order to process Windows
    Authentication Scheme from CA Single Sign-On ?

     

    Answer:

     

    Follows the following document to configure it properly.

    Configuring Chrome and Firefox for Windows Integrated Authentication
    https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

     

    To modify the registry to configure Google Chrome
    Configure the following registry settings with the corresponding values:

     

    Registry

     

    AuthSchemes
    Data type: String (REG_SZ)
    Windows registry location: Software\Policies\Google\Chrome\AuthSchemes
    Mac/Linux preference name: AuthSchemes
    Supported on: Google Chrome (Linux, Mac, Windows) since version 9
    Supported features:Dynamic Policy Refresh: No, Per Profile: No
    Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values
    with commas. If this policy is left not set, all four schemes will be used.
    Value: “basic,digest,ntlm,negotiate”

     

    AuthServerWhitelist
    Data type: String (REG_SZ)
    Windows registry location: Software\Policies\Google\Chrome\AuthServerWhitelist
    Mac/Linux preference name: AuthServerWhitelist
    Supported on: Google Chrome (Linux, Mac, Windows) since version 9
    Supported features: Dynamic Policy Refresh: No, Per Profile: No
    Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication
    challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set
    Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by
    Chrome.
    Value: “MYIISSERVER.DOMAIN.COM”

     

    AuthNegotiateDelegateWhitelist
    Data type: String (REG_SZ)
    Windows registry location: Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist
    Mac/Linux preference name: AuthNegotiateDelegateWhitelist
    Supported on: Google Chrome (Linux, Mac, Windows) since version 9
    Supported features: Dynamic Policy Refresh: No, Per Profile: No
    Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not
    delegate user credentials even if a server is detected as Intranet.
    Example Value: ”MYIISSERVER.DOMAIN.COM”

     

    From a Dos console, you can test the Google Chrome configuration
    before changing the registry like this :

     

    c:\> start /B chrome -auth-server-whitelist="myserver1.mydomain.com, myserver2.mydomain.com" -auth-negotiate-delegatewhitelist="myserver1.mydomain.com,
    myserver2.mydomain.com" -auth-schemes="digest,ntlm,negotiate" "http://myserver1.mydomain.com/"


    KB : KB000115852