Menu
An IIS7 Intranet site with Windows Authentication enabled. When hit from Chrome on windows the pass-through authentication works fine (no User / Password prompt), however, Chrome on a Mac you get a prompt. Since the internal network uses CAC/PKI no one has a password.
I've tried toggling the Windows Authentication on the site to negotiate, but same user/pass prompt.
appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']
Anyone know a solution for Chrome on OS X?
EDIT
OS X 10.6.8
Centrify for Mac will be used to authenticate to the (Windows 2008 R2 ActiveDirectory) network via CAC.
EDIT 2
There is a proxy setup, but it gets bypassed for local intranet sites, so I don't think it is playing a role.
Also tried using the --auth-server-whitelist command line switch, didn't work.
EDIT 3
SOLUTION
open 'Google Chrome.app' --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"
Unfortunately Google Chrome for Mac has no way of specifying command line arguments on every load, so some sort of shell script will need to be made.
Running the following shell script at log in was the final solution to get around Chrome updates and extra doc icons.
#!/bin/bash
cd /Applications/Google\ Chrome.app/Contents/MacOS/
if [ -f 'Google Chrome.bin' ];
then
echo "Already Modified"
else
sudo chmod u+wr ./
sudo mv 'Google Chrome' 'Google Chrome.bin'
sudo echo "#!/bin/bash" > "Google Chrome"
sudo echo 'exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.bin --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"' >> "Google Chrome"
sudo chmod a+x 'Google Chrome'
echo "NTLM Will now work in chrome"
fi
908
Enabling NTLM authentication for local users on Mac OS X. The DeviceLock Service for Mac employs NTLM authentication and encryption in order to secure network communications with other DeviceLock components. If the Mac computer is integrated in Active Directory authentication with a domain account, it will just work.
Click on 'Security tab > Local intranet' then the 'Custom level...' button. Scroll to the bottom and select the 'Automatic logon with current user name and password' option. It's under the 'Authentication > Logon' section. Click OK to save the changes.
To use integrated authentication (Windows Authentication) on macOS or Linux, you need to set up a Kerberos ticket that links your current user to a Windows domain account.
NTLM (New technology LAN Manager) is a proprietary Microsoft authentication protocol.
This isn't a bug at the moment. The Mac version of Chrome simply does not support/respect Kerberos policies ("Negotiate" Windows Authentication) unless the domain white-listed and the browser fired from the command line. See this link posted 10/31/2011:
http://code.google.com/p/chromium/issues/detail?id=102339
It looks like you might be able to permanently white-list a domain though:
http://www.google.com/support/forum/p/Chrome/thread?tid=592eb87350d9d528&hl=en
Since you have already tried the white-list switch, I looked closer and it is an OSX thing... 10.7 is necessary for the switch to work properly with Chrome. Your 10.6 version won't work without a third party tool like Centrify.
Not a happy answer, but the truth.
146
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
