Enable authentication to the Password Reset Web Server

Authentication to the Password Reset Web Server is done through Windows Integrated Authentication. It is required that the service is identified as an intranet server for this to work. If Windows Integrated Authentication is not used, the user will be prompted for their username and password which will use “Basic Authentication” and send user information over HTTP.

Enable integrated authentication in Internet Explorer

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, and select Security Page.
  4. In the details pane, double-click Site to Zone Assignment List.
  5. Click Enable.
  6. Click Show….
  7. In the Value name text field, add your URL.
  8. In the Value text field, use the value “1” for entries into the trusted zone.
  9. In the Show Contents dialog box, click OK.
  10. Click OK to finish.

Enable integrated authentication in Firefox

You can configure Firefox to use Windows Integrated Authentication.

  1. Open Firefox.
  2. In the address bar type about:config
  3. You will receive a security warning. To continue, click I’ll be careful, I promise.
  4. You will need to change the following settings:
    SettingValue
    network.automatic-ntlm-auth.trusted-urisMySprServer.domain.com
    network.automatic-ntlm-auth.allow-proxiesTrue
    network.negotiate-auth.allow-proxiesTrue

Enable integrated authentication in Chrome

To enable Chrome to use Windows Integrated Authentication, you must configure Chrome.exe. It is recommended that most organizations use the command line alternative or modify the registry on one or a few computers. In other organizations, such as schools, where a teacher should be able to reset student passwords, it might be best to use a GPO for the teacher’s OU.

Use the command line

You can add a chrome.exe shortcut on the user’s desktop. Start Chrome with a command line containing the following:

--auth-server-whitelist="MYSPRSERVER.DOMAIN.COM" --auth-negotiate-delegate-whitelist="MYSPRSERVER.DOMAIN.COM" --auth-schemes="digest,ntlm,negotiate"

Modify the registry

Configure the following registry settings with the corresponding values:

Registry Value
AuthSchemes Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\ Google\Chrome\AuthSchemes

Mac/Linux preference name:

AuthSchemes

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.

Value:

“basic,digest,ntlm,negotiate”

Registry Value
AuthServerWhitelist Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\ Google\Chrome\AuthServerWhitelist

Mac/Linux preference name:

AuthServerWhitelist

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.

Value:

“MYSPRSERVER.DOMAIN.COM”

Registry Value
AuthNegotiateDelegateWhitelist Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\ Google\Chrome\AuthNegotiateDelegateWhitelist

Mac/Linux preference name:

AuthNegotiateDelegateWhitelist

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet.

Example value:

“MYSPRSERVER.DOMAIN.COM”

Configure GPO

  1. Download Zip file of ADM/ADMX templates and documentation from: chromium.org/administrators/policy-templates.
  2. Add the ADMX template to your central store. For more information see the Specops Password Reset Administration Guide.
  3. Configure a GPO with Specops Password Reset server dns host name with Kerberos delegation server whitelist and Authentication server whitelist