CHROME, FIREFOX, EDGE LDAP
Networking / Single Sign On / Configure browsers to use Kerberos
Using Kerberos requires that your client’s browser must be configured properly!
Depending upon which browser your clients use, you have to set up the Kerberos configuration in a
different way. Please note that without a properly configured browser, the Kerberos token is not sent to
the server and so LDAP will not work!
INTERNET EXPLORER
The URL http://webserver.test.ad must be added to Internet options > Security > Local intranet.
You can deploy this setting by using a group policy for the node Computer Configuration/Policies/
Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security
Page/Site to Zone Assignment List. Each of your LDAP-enabled sites has to be in the Intranet zone (value
= 1). You can use wildcards like “https://*.test.ad”.
After you have configured the setting, it should look like this:
Please note that enforcing a GPO for Site to Zone Assignment List will no longer allow your users to edit
the setting on their own! There are two options:
1. Collect each custom configuration and assemble the complete list. In most cases you can use a
wildcard on your internal domain like https://.test.ad* and http://.test.ad* to include all
internal sites.
2. Configure a custom assignment list by using a logon script or something like OpsCode Chef or
Microsoft’s Desired State Configuration.
The first option should be the way to go.
Check the other security settings
Please make sure that your LDAP-enabled domain is only entered in the Local intranet zone and nowhere
else! If you have falsely entered the same domain in Trusted sites and Local intranet, the first one is used
and no Kerberos token is sent by Internet Explorer to the webserver.
CHROME
In order to use Chrome for LDAP you also must deploy the settings shown in the Internet Explorer
configuration above.
Newer versions of Chrome do automatically detect the Kerberos negotiation and transmit your token. If
you are using an outdated version of Chrome we highly suggest that you update it for security reasons.
If an update is not possible at all, Chrome must be started with the parameter:
--auth-server-whitelist=”*.test.ad”
Like this:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --auth-server-whitelist=”*.test.ad
This setting can be automatically deployed by using group policies.
1. Download the official group policies for Chrome
2. Follow the installation procedure and open the chrome.admx
3. Configure a policy for the option AuthServerWhitelist
4. Deploy the policy
FIREFOX
In Firefox you have to go to the about:config page and set the parameters
network.negotiate-auth.trusted-uris
network.automatic-ntlm-auth.trusted-uris
to http://webserver.test.ad.
The deployment of those settings can be done by using the official group policy templates for Firefox,
provided by Mozilla.
Authentication
Configure sites that support integrated authentication.
See https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication for more information.
PrivateBrowsing enables integrated authentication in private browsing.
Compatibility: Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in
70/68.2, Locked added in 71/68.3, PrivateBrowsing added in 77/68.9)
CCK2 Equivalent: N/A
Preferences Affected: network.negotiate-auth.trusted-uris,network.negotiate-auth.delegationuris,
network.automatic-ntlm-auth.trusted-uris,network.automatic-ntlm-auth.allow-non-fqdn,network.
negotiate-auth.allow-non-fqdn,network.automatic-ntlm-auth.allow-proxies,network.negotiate-auth.allowproxies,network.auth.private-browsing-sso
Windows (GPO)
Software\Policies\Mozilla\Firefox\Authentication\SPNEGO\1 = “mydomain.com”
Software\Policies\Mozilla\Firefox\Authentication\SPNEGO\2 = “https://myotherdomain.com”
Software\Policies\Mozilla\Firefox\Authentication\Delegated\1 = “mydomain.com”
Software\Policies\Mozilla\Firefox\Authentication\Delegated\2 = “https://myotherdomain.com”
Software\Policies\Mozilla\Firefox\Authentication\NTLM\1 = “mydomain.com”
Software\Policies\Mozilla\Firefox\Authentication\NTLM\2 = “https://myotherdomain.com”
Software\Policies\Mozilla\Firefox\Authentication\AllowNonFQDN\SPNEGO = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\AllowNonFQDN\NTLM = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\SPNEGO = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\NTLM = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\Locked = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\PrivateBrowsing = 0x1 | 0x0
EDGE
for Edge (Chromium) is very similar to that for Chrome. There are only minor
naming differences.