End-of-life Notice
Specops uReset 7.12 and below has reached end-of-life. Therefore no services of any kind will be available for this product. Please migrate to uReset 8 with our migration guide.Enabling authentication to the .Web website
Authentication to the uResetuReset.Web website is done through Windows Integrated Authentication. It is required that the service is identified as an intranet server for this to work. If the browser is not configured to automatically login the user, the user will be prompted for their username and password.
Enable integrated authentication in Internet Explorer
Two GPO’s, one affecting users and one affecting machines, should be configured with the following settings:
User GPO
- Open the Group Policy Management Console.
- Right-click on the GPO node, and select Edit.
- In the Group Policy Management Editor, expand User Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, and select Security Page.
-
In the details pane, double-click
Site to Zone Assignment List.
- Click Enable.
- Click Show.
- In the Value name text field, add https://www.ureset.com.
- In the Value text field, use the value “1” for entries into the trusted zone.
- In the Show Contents dialog box, click OK.
- Click OK.
-
Expand User Configuration, Policies,
Administrative Templates, Windows Components, Internet Explorer,
Internet Explorer Control Panel, Security Page, and select
Internet Zone.
- Double-click Allow Active Scripting.
- Click Enable.
- Click OK.
-
Expand User Configuration, Preferences,
Windows Settings. You can:Create a new Registry Item (Accepts all Cookies for all Sites)
- Right-click Registry, select New, and click Registry Item.
-
Configure the fields using the following settings:
Action: Update
Hive: HKEY_CURRENT_USER
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ValueName: 1A10
ValueType: REG_DWORD
ValueData: 00000000
Create a new Registry Item (Accepts all Cookies for just www.ureset.com and repeat for all other Identity services.)
- Right-click Registry, select New, and click Registry Item.
-
Configure the fields using the following settings:
Action: Update
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\www.ureset.com
ValueName: Default
ValueType: REG_DWORD
ValueData: 00000001
Machine GPO
- Open the Group Policy Management Console.
- Right-click on the GPO node, and select Edit.
-
Expand Computer Configuration, Policies,
Administrative Templates, Windows Components, Internet Explorer,
Internet Explorer Control Panel, Security Page, and select
Internet Zone.
- Double-click Allow Active Scripting.
- Click Enable.
- Click OK.
-
Expand Computer Configuration, Preferences,
Windows Settings. You can:Create a new Registry Item (Accepts all Cookies for all Sites)
- Right-click Registry, select New, and click Registry Item.
-
Configure the fields using the following settings:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ValueName: 1A10
ValueType: REG_DWORD
ValueData: 00000000
Create a new Registry Item (Accepts all Cookies for just www.ureset.com and repeat for all other Identity services.
- Right-click Registry, select New, and click Registry Item.
-
Configure the fields using the following settings:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\www.ureset.com
ValueName: Default
ValueType: REG_DWORD
ValueData: 00000001
Enable integrated authentication in Firefox
You can configure Firefox to use Windows Integrated Authentication.
- Open Firefox.
- In the address bar type about:config
- You will receive a security warning. To continue, click I’ll be careful, I promise.
-
You will need to change the following settings:
Setting Value network.automatic-ntlm-auth.trusted-uris www.ureset.com network.automatic-ntlm-auth.allow-proxies True network.negotiate-auth.allow-proxies True
Enable integrated authentication in Chrome
The latest version of Chrome uses existing Internet Explorer settings. Older versions of Chrome require additional configuration.
Older versions of Chrome not supporting IE settings
To enable Chrome to use Windows Integrated Authentication, you must configure Chrome.exe. It is recommended that most organizations use the command line alternative or modify the registry on one or a few computers. In other organizations, such as schools, where a teacher should be able to reset student passwords, it might be best to use a GPO for the teacher’s OU.
Use the command line
You can add a chrome.exe shortcut on the user’s desktop. Start Chrome with a command line containing the following:
–auth-server-whitelist=”www.ureset.com” –auth-negotiate-delegate-whitelist=”www.ureset.com” –auth-schemes=”digest,ntlm,negotiate”
Modify the registry
Configure the following registry settings with the corresponding values:
Registry | Value |
AuthSchemes | Data type:
String (REG_SZ) Windows registry location: Software\Policies\ Google\Chrome\AuthSchemes Mac/Linux preference name: AuthSchemes Supported on:
Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used. Value: “basic,digest,ntlm,negotiate” |
AuthServerWhitelist | Data type:
String (REG_SZ) Windows registry location: Software\Policies\ Google\Chrome\AuthServerWhitelist Mac/Linux preference name: AuthServerWhitelist Supported on:
Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome. Value: “MYURESETWEB.DOMAIN.COM” |
AuthNegotiateDelegateWhitelist | Data type:
String (REG_SZ) Windows registry location: Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist Mac/Linux preference name: AuthNegotiateDelegateWhitelist Supported on:
Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet. Example value: “MYURESETWEB.DOMAIN.COM” |
Configure GPO
- Download Zip file of ADM/ADMX templates and documentation from: www.chromium.org/administrators/policy-templates.
- Add the ADMX template to your central store:
The ADMX should be copied to:
\\<domainfqdn>\sysvol\<domainfqdn>\Policies\PolicyDefinitions
The ADML should be copied to:
\\<domainfqdn>\sysvol\<domainfqdn>\Policies\PolicyDefinitions\en-us
For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841
Configure a GPO with Specops uReset server dns host name with Kerberos delegation server whitelist and Authentication server whitelist enabled.