Integrated Windows Authentication with Chrome and Firefox

A few days ago, the Powers That Be at my institution rolled out a change to our web authentication scheme. Previously, we were using a proprietary system that somehow played nice with Active Directory. The changed made Active Directory Federation Services play nice with our proprietary system - making ADFS do the real work.

Now, we live in the world of Integrated Windows Authentication.

I'm all for that, mainly because the proprietary system was a PITA in a lot of cases. This new change makes a lot of thing easier. Plus, now logging onto your workstation logs you into our webapps!

Well, not for me. I use a Chrome and Firefox.


Well, not yet anyway ....

It works great for Safari users on a Mac. However, I use Chrome mostly and Firefox for development testing. 

How on earth do I tell Chrome what servers are okay to do Microsoft Integrated Login with?

I guessed there was a way to configure Chrome and Firefox to do this, and it turns out there is! However, it's not straight forward. I fairly quickly found a command-line switch for Chrome:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*<fs-server.whoopie>,<another-fs-server.blurp>"

That would be fine, except I don't open Chrome from the command line; I use Spotlight (<command><space>).

How on earth do I get Chrome to open with that command-line switch by default?

I thought the answers would be in the preference files for Mac: plists. Turns out, preferences in plists are a layered hive of black holes. Values go in, but don't always come out. There's a lot of complexity built in for machine management and group policy. However, I don't have any of that. But, it lead to a lot of dead ends. 

Finally I found this post with an answer: put it in the global preferences! 

I opened /Users/<my-user>/Library/Preferences/.GlobalPreferences.plist with VIM, but it was encrypted in some way. I used plutil to convert it to plain XML:

plutil -convert xml1 .GlobalPreferences.plist

Now I can get to the good stuff. Just added a key/value pair at the top, under the <dict> tag and voilĂ , everything started working!

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

        <key>AuthServerWhitelist</key>
        <string><fs-server.whoopie></string>

        <key>AKDeviceUnlockState</key>
        <false/>
        <key>AKLastCheckInAttemptDate</key>
        <date>2017-05-25T14:07:35Z</date>
        ...

I have to say that while this worked, I'm not sure it's the best solution. A more graceful solution is pending free time. Plus that unicorn with which to ride to that magical free-timey land.

As for Firefox, it was easier, but scarier. I found the information I needed here.

In the address bar, I just went to "config:about", then ignored the message about voiding the warrantee. Then, I just needed to put the fully qualified address of the auth server in these keys:

        network.negotiate-auth.trusted-uris
        network.negotiate-auth.delegation-uris
        network.automatic-ntlm-auth.trusted-uris

Close and reopen. Worked great.

Just to be complete, at the time of the writing, I was using Chrome 58 and Firefox 53.

Comments

Popular posts from this blog

Planned System Downtime

Error Handling