Настройка Kerberos аутентификации в различных браузерах

В этой статья, мы рассмотрим, как настроить Kerberos аутентификацию для различных браузеров в домене Windows для прозрачной и безопасной аутентификации на веб-серверах без необходимости повторного ввода пароля в корпоративной сети. В большинстве современных браузерах (IE, Chrome, Firefox) имеется поддержка Kerberos, однако, чтобы она работала, нужно выполнить несколько дополнительных действий.

Чтобы браузер мог авторизоваться на веб-сервере, нужно, чтобы были выполнены следующие условия:

• Поддержка Kerberos должны быть включена на стороне веб-сервера (пример настройки Kerberos авторизации на сайте IIS)
• Наличие у пользователя прав доступа к серверу
• Пользователь должен быть аутентифицирован на своем компьютере в Active Directory с помощью Kerberos (должен иметь TGT — Kerberos Ticket Granting Ticket).

К примеру, мы хотим разрешить клиентам Kerberos авторизацию через браузер на всех веб серверах домена winitpro.ru (нужно использовать именно DNS или FQDN, а не IP адрес веб сервера)

Настройка Kerberos аутентификации в Internet Explorer

Рассмотрим, как включить Kerberos аутентификацию в Internet Explorer 11.

Откройте Свойства браузера -> Безопасность -> Местная интрасеть (Local intranet), нажмите на кнопку Сайты -> Дополнительно. Добавьте в зону следующие записи:

Далее перейдите на вкладку Дополнительно (Advanced) и в разделе Безопасность (Security) убедитесь, что включена опция Разрешить встроенную проверку подлинности Windows (Enable Integrated Windows Authentication).

Включаем Kerberos аутентификацию в Google Chrome

Чтобы SSO работала в Google Chrome, нужно настроить Internet Explorer вышеописанным способом (Chrome использует данные настройки IE). Кроме того, нужно отметить, что все новые версии Chrome автоматически определяют наличие поддержки Kerberos. В том случае, если используется одна из старых версий Chrome (Chromium), для корректной авторизации на веб-серверах с помощью Kerberos, его нужно запустить с параметрами:

«C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” —auth-server-whitelist=»*.winitpro.ru» —auth-negotiate-delegate-whitelist=»*.winitpro.ru»

Либо эти параметры могут быть распространены через групповые политики для Chrome (политика AuthServerWhitelist) или строковый параметр реестра AuthNegotiateDelegateWhitelist (находится в ветке HKLM\SOFTWARE\Policies\Google\Chrome).

Для вступления изменений в силу нужно перезагрузить браузер и сбросить тикеты Kerberos командой klist purge (см. статью).

Настройка Kerberos аутентификации в Mozilla Firefox

По умолчанию поддержка Kerberos в Firefox отключена, чтобы включить ее, откройте окно конфигурации браузера (в адресной строке перейдите на адрес about:config). Затем в следующих параметрах укажите адреса веб-серверов, для которых должна использоваться Kerberos аутентификация.

Проверить, что ваш браузер работает через аутентифицировался на сервере с помощью Kerberos можно с помощью Fiddler или команды klist tickets.

NTLM аутентификация в Firefox

Если вы, как и я для работы с web предпочитаете использовать браузер Firefox, вероятно вы уже сталкивались с неудобствами при доступе вашим любимым браузером к различным интернет сервисам, использующих механизм аутентификации Windows — NTLM (это могут быть, например, портал Sharepoint, внутренний сайт с аутентификацией в AD и т.д.). При доступе к таким сайтам Firefox каждый раз предлагает вам ввести пару: имя пользователя windows и пароль (Internet Explorer в таких случаях аутентифицируется на таких сайтах прозрачно, без необходимости ввода пароля). К счастью, Firefox поддерживает сквозную (pass through) аутентификацию на сайтах, поддерживающих авторизацию NTLM (естественно пользователь должен быть залогинен в системе и иметь права доступа на интересующем его сайте.).

1. Запустите Firefox и в адресной строке введите about:config и нажмите ENTER
2. Согласитесь с тем предупреждением о потенциальной угрозе, которую можно вызвать некорректной настройкой параметров браузера.
3. В строке фильтров укажите ключевой слово NTLM, в результате чего перед вами останется три параметра, нас интересует параметр network.automatic-ntlm-auth.trusted-uris.
4. Дважды щелкнув по данному параметру, откроется окно с текстовым полем, куда можно внести список URL (через запятую), для которых будет поддерживаться автоматическая сквозная NTLM аутентификация. Формат такой: _http://web.winitpro.ru, _ftp://siteftp.winitpro.ru. Если необходимо добавить все сайты в домене (обычно это внутренний корпоративный домен), нужно указать: .winitpro.ru

Кстати, рекомендую познакомиться со статьей, описывающей проблемы NTLM аутентификации Windows 7 на Squid .

Firefox authentication: how to enable and configure NTLM

Description

When using IIS, Firefox may ask for user name and password when accessing the QlikView AccessPoint or the QlikView Management Console.

To use NTLM authentication with Firefox, the preference » network.automatic-ntlm-auth.trusted-uris » needs to be set. This allows Firefox to pass the NTLM authentication information to a web server.

On non-Windows systems, like Linux or Mac: the Access Point may get stuck on «logging in», In that case, NTLM needs to be set to version 1.

Cause

Resolution

On Windows systems:

• Open Firefox and type “about:config” in the address bar. (without the quotes)
• In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris” (without the quotes)
• Double click the name of the preference
• Enter the URLs of the sites you wish to pass NTLM authentication to in the form of:
• http://intranet.company.com,http://email.company.lan
• Notice that you can use a comma separated list in this field.

On non Windows systems (Mac / Linux / Unix) :

• Open Firefox and type “about:config” in the address bar. (without the quotes)
• In the ‘Filter’ field type the following “network.negotiate-auth.allow-insecure-ntlm-v1” (without the quotes)
• Double click the name of the preference. That should change the value from false to true.
• Close and reopen Firefox: you now should be able to login

Get Answers

Qlik Community

Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.

Have a Question?

Search Qlik’s Support Knowledge database or request assisted support for highly complex issues.

Critical Issues

Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.

What if I’m locked out of Two-Step Authentication?

This article explains what to do if you have been locked out of your Firefox Account two-step authentication login.

• If you received a message that your Firefox Account was locked because a confirmation email was returned, see the I’m having problems confirming my Firefox Account article instead.

Two-step authentication adds extra security to your Firefox account by making it harder for someone else to log in to your account. If you’ve gotten locked out of your two-step authentication login, you can use a recovery code to securely regain access to your account. Alternatively, if you have a device still signed in to your account, you can use that device to disable two-factor authentication so you can log in to your account without two-factor authentication.

Table of Contents

I have my two-step authentication device

1. Go to https://accounts.firefox.com and login.
2. Enter the authentication code from your authentication application.
3. After login, go to Security and click Disable next to Two-step authentication.
4. A confirmation prompt will appear. Click the Disable button in the Disable two-step authentication? prompt.

I lost my two-step authentication device but I have another logged-in device.

If you’re locked out of your account but have a device still logged in via two-factor authentication, you can use that device to disable two-factor authentication:

1. Go to https://accounts.firefox.com and login.
2. Under Security, click Disable next to Two-step authentication.
3. Click the Disable button in the Disable two-step authentication? prompt.

I lost my two-step authentication device but I have a recovery code.

1. Go to https://accounts.firefox.com and login.
2. If you are prompted for a two-step authentication code, click Trouble entering code? and enter one of your saved recovery codes.
   • If you don’t remember saving your recovery code, check if your file was downloaded and saved with the filename Firefox Recovery Codes.txt.
3. Go to Security and click Disable next to Two-step authentication.

I have my two-step authentication device

1. Go to https://accounts.firefox.com and login.
2. Enter the authentication code from your authentication application.
3. After login, expand the Two-step authentication section by clicking Change .
4. Click Disable .

I lost my two-step authentication device but I have another logged-in device.

If you’re locked out of your account but have a device still logged in via two-factor authentication, you can use that device to disable two-factor authentication:

1. Go to https://accounts.firefox.com and login.
2. Click Disable in the row that says Two-step authentication.

I lost my two-step authentication device but I have a recovery code.

1. Go to https://accounts.firefox.com and login.
2. If you are prompted for a two-step authentication code, click Trouble entering code? and enter one of your saved recovery codes.
   • If you don’t remember saving your recovery code, check if your file was downloaded and saved with the filename Firefox Recovery Codes.txt.
3. Expand the Two-step authentication section by clicking Change .
4. Click Disable .

I lost my two-step authentication device, can’t find recovery codes and don’t have a logged-in device.

Unfortunately, deactivation of two-step authentication is not supported and you will not be able access your existing Sync data. You can however create a new account with a different email address to begin syncing again.

I lost my two-step authentication device, can’t find recovery codes and don’t have a logged-in device. Can I request to delete my Firefox Account?

In this case it is currently not possible to delete your Firefox Account since we don’t have a way to verify your identity and ownership of that account. We recommend creating a new Firefox Account to use Firefox Sync and other services that require a Firefox Account.

These fine people helped write this article:

Volunteer

Grow and share your expertise with others. Answer questions and improve our knowledge base.

Related Articles

I’ve lost my Firefox Sync account information — What to do

Firefox Sync works by storing your data on Mozilla servers and synchronizing it with your computers and devices. When you set up Sync, you enter.

I’m having problems with my Firefox Account

Need help with Firefox Accounts? This article has some solutions to help you get started. If you don’t find an answer here, you can also get.

Secure your Firefox Account with two-step authentication

Two-step authentication adds extra security by making it harder for someone else to log in to your account, especially if they steal your.

Reset your Firefox Account password with Recovery Keys

Firefox Accounts uses your password to encrypt your data (such as bookmarks and passwords) for extra security. When you forget your password and.

Firefox disable windows authentication

Every once in a while an add from Facebook will open up with a fake «You computer is infected call #» page. This hasn’t been a problem in the past because I use ad-blocker, flash blocker, and no script. But these pages that I have seen lately ask for authentication ex. «A username and password are being requested by http://errorx3458i.ml.».

How can I disable Firefox from making a popup asking for authentication?

These popups stop the page from being closed because they pop back up. They also prevent going to another tab. I can open up a new Firefox instance and use that. The only way to close this is be very very quick and hit the X on the page just after the one on the popup or use task manager and force close Firefox.

Выбранное решение

Firefox is blocking that page for me, says it is a deceptive site. (Screen shot attached.) Do you have that feature disabled? See: How does built-in Phishing and Malware Protection work?

In a similar case, the only way to stop the prompt from reappearing over and over was to press the Esc key several times in quick succession. That stopped the page from reloading and regenerating the prompt so you could close out of it.

Все ответы (14)

You may have ad / mal-ware. Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

Separate Issue: Update your Flash Player Note: Windows users should download the active_x for Internet Explorer. and the plugin for Plugin-based browsers (like Firefox).

Note: Windows 8 and Windows 10 have built-in flash players and Adobe will cause a conflict. Install the plugin only. Not the active_x.

Flash Player Version: 23.0.0.185 Flash Player (Linux) Version 11.2.202.637

https://get.adobe.com/flashplayer/ Direct link scans current system and browser Note: Other software is offered in the download.

https://get.adobe.com/flashplayer/otherversions/ Step 1: Select Operating System Step 2: Select A Version (Firefox, Win IE . . . .) Note: Other software is offered in the download.

I don’t have any malware on my computer. This is the result of an add/link from facebook where they are trying to scam you. I saw one just like it for an android phone earlier today.

I just want to know how to Disable Authentication Required Popup for all web pages. How can I block a page from asking for a user name and password? I think it might be a proxy or sspi authentication request.

The webpage I linked has been taken down so I won’t be able to try any solutions until another one comes along 🙁

I don’t have any malware on my computer. This is the result of an add/link from facebook where they are trying to scam you.

Have you scanned your system?

I don’t have any malware on my computer. This is the result of an add/link from facebook where they are trying to scam you.

Выбранное решение

Firefox is blocking that page for me, says it is a deceptive site. (Screen shot attached.) Do you have that feature disabled? See: How does built-in Phishing and Malware Protection work?

In a similar case, the only way to stop the prompt from reappearing over and over was to press the Esc key several times in quick succession. That stopped the page from reloading and regenerating the prompt so you could close out of it.

Изменено 17 октября 2016 г., 23:32:06 -0700 jscher2000