Enable authentication to the Password Reset Web Server
Authentication to the Password Reset Web Server is done through Windows Integrated Authentication. It is required that the service is identified as an intranet server for this to work. If Windows Integrated Authentication is not used, the user will be prompted for their username and password which will use “Basic Authentication” and send user information over HTTP.
Enable integrated authentication in Internet Explorer
- Open the Group Policy Management Console.
- Right-click on the GPO node, and select Edit.
- In the Group Policy Management Editor, expand Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, and select Security Page.
- In the details pane, double-click Site to Zone Assignment List.
- Click Enable.
- Click Show….
- In the Value name text field, add your URL.
- In the Value text field, use the value “1” for entries into the trusted zone.
- In the Show Contents dialog box, click OK.
- Click OK to finish.
Enable integrated authentication in Firefox
You can configure Firefox to use Windows Integrated Authentication.
- Open Firefox.
- In the address bar type about:config
- You will receive a security warning. To continue, click I’ll be careful, I promise.
-
You will need to change the following settings:
Setting Value network.automatic-ntlm-auth.trusted-uris MySprServer.domain.com network.automatic-ntlm-auth.allow-proxies True network.negotiate-auth.allow-proxies True
Enable integrated authentication in Chrome
To enable Chrome to use Windows Integrated Authentication, you must configure Chrome.exe. It is recommended that most organizations use the command line alternative or modify the registry on one or a few computers. In other organizations, such as schools, where a teacher should be able to reset student passwords, it might be best to use a GPO for the teacher’s OU.
Use the command line
You can add a chrome.exe shortcut on the user’s desktop. Start Chrome with a command line containing the following:
--auth-server-whitelist="MYSPRSERVER.DOMAIN.COM"
--auth-negotiate-delegate-whitelist="MYSPRSERVER.DOMAIN.COM"
--auth-schemes="digest,ntlm,negotiate"
Modify the registry
Configure the following registry settings with the corresponding values:
Registry | Value |
---|---|
AuthSchemes | Data type:
String (REG_SZ) Windows registry location: Software\Policies\ Google\Chrome\AuthSchemes Mac/Linux preference name: AuthSchemes Supported on:
Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used. Value: “basic,digest,ntlm,negotiate” |
Registry | Value |
AuthServerWhitelist | Data type:
String (REG_SZ) Windows registry location: Software\Policies\ Google\Chrome\AuthServerWhitelist Mac/Linux preference name: AuthServerWhitelist Supported on:
Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome. Value: “MYSPRSERVER.DOMAIN.COM” |
Registry | Value |
AuthNegotiateDelegateWhitelist | Data type:
String (REG_SZ) Windows registry location: Software\Policies\ Google\Chrome\AuthNegotiateDelegateWhitelist Mac/Linux preference name: AuthNegotiateDelegateWhitelist Supported on:
Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet. Example value: “MYSPRSERVER.DOMAIN.COM” |
Configure GPO
- Download Zip file of ADM/ADMX templates and documentation from: chromium.org/administrators/policy-templates.
- Add the ADMX template to your central store. For more information see the Specops Password Reset Administration Guide.
- Configure a GPO with Specops Password Reset server dns host name with Kerberos delegation server whitelist and Authentication server whitelist