Integrated Windows Authentication with Chrome and Firefox

A few days ago, the Powers That Be at my institution rolled out a change to our web authentication scheme. Previously, we were using a proprietary system that somehow played nice with Active Directory. The changed made Active Directory Federation Services play nice with our proprietary system - making ADFS do the real work.

Now, we live in the world of Integrated Windows Authentication.

I'm all for that, mainly because the proprietary system was a PITA in a lot of cases. This new change makes a lot of thing easier. Plus, now logging onto your workstation logs you into our webapps!

Well, not for me. I use a Chrome and Firefox.


Well, not yet anyway ....

It works great for Safari users on a Mac. However, I use Chrome mostly and Firefox for development testing. 

How on earth do I tell Chrome what servers are okay to do Microsoft Integrated Login with?

I guessed there was a way to configure Chrome and Firefox to do this, and it turns out there is! However, it's not straight forward. I fairly quickly found a command-line switch for Chrome:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*<fs-server.whoopie>,<another-fs-server.blurp>"

That would be fine, except I don't open Chrome from the command line; I use Spotlight (<command><space>).

How on earth do I get Chrome to open with that command-line switch by default?

I thought the answers would be in the preference files for Mac: plists. Turns out, preferences in plists are a layered hive of black holes. Values go in, but don't always come out. There's a lot of complexity built in for machine management and group policy. However, I don't have any of that. But, it lead to a lot of dead ends. 

Finally I found this post with an answer: put it in the global preferences! 

I opened /Users/<my-user>/Library/Preferences/.GlobalPreferences.plist with VIM, but it was encrypted in some way. I used plutil to convert it to plain XML:

plutil -convert xml1 .GlobalPreferences.plist

Now I can get to the good stuff. Just added a key/value pair at the top, under the <dict> tag and voilĂ , everything started working!

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

        <key>AuthServerWhitelist</key>
        <string><fs-server.whoopie></string>

        <key>AKDeviceUnlockState</key>
        <false/>
        <key>AKLastCheckInAttemptDate</key>
        <date>2017-05-25T14:07:35Z</date>
        ...

I have to say that while this worked, I'm not sure it's the best solution. A more graceful solution is pending free time. Plus that unicorn with which to ride to that magical free-timey land.

As for Firefox, it was easier, but scarier. I found the information I needed here.

In the address bar, I just went to "config:about", then ignored the message about voiding the warrantee. Then, I just needed to put the fully qualified address of the auth server in these keys:

        network.negotiate-auth.trusted-uris
        network.negotiate-auth.delegation-uris
        network.automatic-ntlm-auth.trusted-uris

Close and reopen. Worked great.

Just to be complete, at the time of the writing, I was using Chrome 58 and Firefox 53.

Comments

Post a Comment

Popular posts from this blog

Error Handling

Image
I found this actual error message today while working with a vendor application: Okay, it wasn't that exact error message. And that's my code. BUT, the first part is verbatim. This is a server-side, vendor-provided, and above all, released product. This is not a beta; we paid someone to give us that error message. What am I supposed to do with that message. My code called your code and it told me "Unable to get resources." Guess I'll just take a nap till those resources can be gotten. Over the years I have seen both vendor applications and custom code where programmers are throwing away valuable information by not properly sending errors up the stack.   You should always, always, ALWAYS send your errors up the stack! * The error above could easily have been something like this: See, now I know something! This is a java.lang.NullPointerException exception in the file MeaningfulError.java - on line 11. That's an informativ
Read more

Impressions from the Past

Today, a lady got a promotion. Let's call her Gretchen. I had dealings with Gretchen before, however they were not good. Gretchen needed some content in the portal I manage. Simple enough. Unfortunately, it was going to take some time to identify her stakeholders specifically. Impatience was wining over doing something right. They wanted to cram the content onto every employee's layouts - despite the fact that most of those employees would have no idea what this content was. At the time, I still had the quixotic notion that I could keep the portal relevant, compelling, and relevant. I pointed out that having that additional kind of noise in the portal was not a good thing. If we waited a week or two, I could set it up so the tab only went to the people who needed the content. They said tough shit - we'll do this now. Fast forward a year and we find their tab that had to be pushed to the entire employee population that didn't mean anything to them, complete with
Read more