Enabling authentication to the .Web website

Authentication to the uResetuReset.Web website is done through Windows Integrated Authentication. It is required that the service is identified as an intranet server for this to work. If the browser is not configured to automatically login the user, the user will be prompted for their username and password.

NOTE
You cannot login with Windows Integrated Authentication from the same machine the Gatekeeper is installed on. If you are using the same machine, you will need to use the following link: https://www.ureset.com/uReset.Web/<domain.com>/BasicLogin/Start

Enable integrated authentication in Internet Explorer

Two GPO’s, one affecting users and one affecting machines, should be configured with the following settings:

User GPO

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand User Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, and select Security Page.
  4. In the details pane, double-click Site to Zone Assignment List.
    • Click Enable.
    • Click Show.
    • In the Value name text field, add https://www.ureset.com.
    • In the Value text field, use the value “1” for entries into the trusted zone.
    • In the Show Contents dialog box, click OK.
    • Click OK.
  5. Expand User Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, Security Page, and select Internet Zone.

    • Double-click Allow Active Scripting.
    • Click Enable.
    • Click OK.
  6. Expand User Configuration, Preferences, Windows Settings. You can:Create a new Registry Item (Accepts all Cookies for all Sites)

    • Right-click Registry, select New, and click Registry Item.
    • Configure the fields using the following settings:
      Action: Update
      Hive: HKEY_CURRENT_USER
      Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
      ValueName: 1A10
      ValueType: REG_DWORD
      ValueData: 00000000

    Create a new Registry Item (Accepts all Cookies for just www.ureset.com and repeat for all other Identity services.)

    • Right-click Registry, select New, and click Registry Item.
    • Configure the fields using the following settings:
      Action: Update
      Hive: HKEY_CURRENT_USER
      Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\www.ureset.com
      ValueName: Default
      ValueType: REG_DWORD
      ValueData: 00000001

Machine GPO

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. Expand Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, Security Page, and select Internet Zone.
    • Double-click Allow Active Scripting.
    • Click Enable.
    • Click OK.
  4. Expand Computer Configuration, Preferences, Windows Settings. You can:Create a new Registry Item (Accepts all Cookies for all Sites)

    • Right-click Registry, select New, and click Registry Item.
    • Configure the fields using the following settings:
      Action: Update
      Hive: HKEY_LOCAL_MACHINE
      Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
      ValueName: 1A10
      ValueType: REG_DWORD
      ValueData: 00000000

    Create a new Registry Item (Accepts all Cookies for just www.ureset.com and repeat for all other Identity services.

    • Right-click Registry, select New, and click Registry Item.
    • Configure the fields using the following settings:
      Action: Update
      Hive: HKEY_LOCAL_MACHINE
      Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\www.ureset.com
      ValueName: Default
      ValueType: REG_DWORD
      ValueData: 00000001

Enable integrated authentication in Firefox

You can configure Firefox to use Windows Integrated Authentication.

  1. Open Firefox.
  2. In the address bar type about:config
  3. You will receive a security warning. To continue, click I’ll be careful, I promise.
  4. You will need to change the following settings:
    SettingValue
    network.automatic-ntlm-auth.trusted-uriswww.ureset.com
    network.automatic-ntlm-auth.allow-proxiesTrue
    network.negotiate-auth.allow-proxiesTrue

Enable integrated authentication in Chrome

The latest version of Chrome uses existing Internet Explorer settings. Older versions of Chrome require additional configuration.

Older versions of Chrome not supporting IE settings

To enable Chrome to use Windows Integrated Authentication, you must configure Chrome.exe. It is recommended that most organizations use the command line alternative or modify the registry on one or a few computers. In other organizations, such as schools, where a teacher should be able to reset student passwords, it might be best to use a GPO for the teacher’s OU.

Use the command line

You can add a chrome.exe shortcut on the user’s desktop. Start Chrome with a command line containing the following:

–auth-server-whitelist=”www.ureset.com” –auth-negotiate-delegate-whitelist=”www.ureset.com” –auth-schemes=”digest,ntlm,negotiate”

Modify the registry

Configure the following registry settings with the corresponding values:

Registry Value
AuthSchemes Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\ Google\Chrome\AuthSchemes

Mac/Linux preference name:

AuthSchemes

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.

Value:

“basic,digest,ntlm,negotiate”
AuthServerWhitelist Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\ Google\Chrome\AuthServerWhitelist

Mac/Linux preference name:

AuthServerWhitelist

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.

Value:

“MYURESETWEB.DOMAIN.COM”
AuthNegotiateDelegateWhitelist Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist

Mac/Linux preference name:

AuthNegotiateDelegateWhitelist

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet.

Example value:

“MYURESETWEB.DOMAIN.COM”

Configure GPO

  1. Download Zip file of ADM/ADMX templates and documentation from: www.chromium.org/administrators/policy-templates.
  2. Add the ADMX template to your central store:
NOTE
The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops Authentication Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

\\<domainfqdn>\sysvol\<domainfqdn>\Policies\PolicyDefinitions

The ADML should be copied to:

\\<domainfqdn>\sysvol\<domainfqdn>\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841

Configure a GPO with Specops uReset server dns host name with Kerberos delegation server whitelist and Authentication server whitelist enabled.