Integrated Windows Auth (NTLM) on a Mac using Google Chrome or Safari

Question

An IIS7 Intranet site with Windows Authentication enabled. When hit from Chrome on windows the pass-through authentication works fine (no User / Password prompt), however, Chrome on a Mac you get a prompt. Since the internal network uses CAC/PKI no one has a password.

I've tried toggling the Windows Authentication on the site to negotiate, but same user/pass prompt.

appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']

Anyone know a solution for Chrome on OS X?

EDIT

OS X 10.6.8

Centrify for Mac will be used to authenticate to the (Windows 2008 R2 ActiveDirectory) network via CAC.

EDIT 2

There is a proxy setup, but it gets bypassed for local intranet sites, so I don't think it is playing a role.

Also tried using the --auth-server-whitelist command line switch, didn't work.

EDIT 3

SOLUTION

open 'Google Chrome.app' --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"

Unfortunately Google Chrome for Mac has no way of specifying command line arguments on every load, so some sort of shell script will need to be made.

Running the following shell script at log in was the final solution to get around Chrome updates and extra doc icons.

#!/bin/bash
cd /Applications/Google\ Chrome.app/Contents/MacOS/
if [ -f 'Google Chrome.bin' ];
then
   echo "Already Modified"
else
   sudo chmod u+wr ./
   sudo mv 'Google Chrome' 'Google Chrome.bin'
   sudo echo "#!/bin/bash" > "Google Chrome"
   sudo echo 'exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.bin --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"' >> "Google Chrome"
   sudo chmod a+x 'Google Chrome'
   echo "NTLM Will now work in chrome"
fi

Answer 1

It seems we can do the following configuration in Terminal,

$ defaults write com.google.Chrome AuthServerWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"

Answer 2

This isn't a bug at the moment. The Mac version of Chrome simply does not support/respect Kerberos policies ("Negotiate" Windows Authentication) unless the domain white-listed and the browser fired from the command line. See this link posted 10/31/2011:

http://code.google.com/p/chromium/issues/detail?id=102339

It looks like you might be able to permanently white-list a domain though:

http://www.google.com/support/forum/p/Chrome/thread?tid=592eb87350d9d528&hl=en

---

Since you have already tried the white-list switch, I looked closer and it is an OSX thing... 10.7 is necessary for the switch to work properly with Chrome. Your 10.6 version won't work without a third party tool like Centrify.

Not a happy answer, but the truth.

Answer 3

defaults write com.google.Chrome AuthServerWhitelist '<your domain>' will permanently allow kerberos to a server or set of servers (*.mydomain.local).

Answer 4

Integrated Windows Auth (NTLM) on a Mac using Safari:

1. Update krb5.conf

$ sudo nano /etc/krb5.conf

[logging]
 default = /var/log/krb5libs.log
 kdc = /var/log/krb5kdc.log
 admin_server = /var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_realm = MY.DOMAIN
 udp_preference_limit = 1

[realms]

[domain_realm]

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

2. Run kinit command

$ kinit -V myuser

myuser@MY.DOMAIN's password:
Placing tickets for 'myuser@MY.DOMAIN' in cache 'API:redacted'

3. Access website via Safari

Note: This used to work with chrome using the following commands but has recently stopped working - so now use Safari:

defaults write com.google.Chrome AuthServerWhitelist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"

Answer 5

At this moment working solution is:

defaults write com.google.Chrome AuthServerAllowlist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthNegotiateDelegateAllowlist "*.MY.DOMAIN"
defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"

And then u can check here chrome://policy/

Answer 6

What version of Chrome? This was an active bug, make sure you've got the latest version. It should work...

http://chromium.googlecode.com/issues/attachment?aid=-4050060571219819368&name=Prompt.png&token=NHQTVDWyO_jUXxWmvuzGnGer2sc%3A1325131426103&inline=1

http://code.google.com/p/chromium/issues/detail?id=19