590d18
From dc0d09f6e6a5681fa4c4146e6df6872dccc40b68 Mon Sep 17 00:00:00 2001
590d18
From: Petr Vobornik <pvoborni@redhat.com>
590d18
Date: Fri, 17 Jul 2015 15:57:30 +0200
590d18
Subject: [PATCH] webui: add Kerberos configuration instructions for Chrome
590d18
590d18
* IE section moved at the end
590d18
* Chrome section added
590d18
* FF and IE icons removed
590d18
590d18
https://fedorahosted.org/freeipa/ticket/823
590d18
590d18
Reviewed-By: Martin Basti <mbasti@redhat.com>
590d18
---
590d18
 install/html/ssbrowser.html | 111 +++++++++++++++++++++++++++++++-------------
590d18
 1 file changed, 80 insertions(+), 31 deletions(-)
590d18
590d18
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
590d18
index d90103228150a60bd49e91ea8c64891d53d75d7b..685800e16e6e77c70adf905acfca2996513d1e1d 100644
590d18
--- a/install/html/ssbrowser.html
590d18
+++ b/install/html/ssbrowser.html
590d18
@@ -54,38 +54,8 @@
590d18
     
590d18
     
590d18
         

Browser Kerberos Setup

590d18
-        

Internet ExplorerInternet Explorer Configuration

590d18
-        

590d18
-            Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.
590d18
-        

590d18
-        

590d18
-            Login to the Windows machine using an account of your Kerberos realm (administrative domain)
590d18
-        

590d18
-        

590d18
-            In Internet Explorer, click Tools, and then click Internet Options.
590d18
-        

590d18
-        
590d18
-            
    590d18
    -                
  1. Click the Security tab
  2. 590d18
    -                
  3. Click Local intranet
  4. 590d18
    -                
  5. Click Sites
  6. 590d18
    -                
  7. Click Advanced
  8. 590d18
    -                
  9. Add your domain to the list
  10. 590d18
    -            
    590d18
    -            
      590d18
      -                
    1. Click the Security tab
    2. 590d18
      -                
    3. Click Local intranet
    4. 590d18
      -                
    5. Click Custom Level
    6. 590d18
      -                
    7. Select Automatic logon only in Intranet zone
    8. 590d18
      -            
      590d18
      -
      590d18
      -            
        590d18
        -                
      1. Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)
      2. 590d18
        -                
      3. You are all set.
      4. 590d18
        -            
        590d18
        -        
        590d18
         
        590d18
        -        

        FirefoxFirefox Configuration

        590d18
        +        

        Firefox

        590d18
         
        590d18
                 

        590d18
                     You can configure Firefox to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on.
        590d18
        @@ -117,6 +87,85 @@
        590d18
                     
        590d18
                 
        590d18
         
        590d18
        +        

        Chrome

        590d18
        +
        590d18
        +        

        590d18
        +            You can configure Chrome to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on.
        590d18
        +        

        590d18
        +
        590d18
        +        

        Import CA Certificate

        590d18
        +        
          590d18
          +            
        1. 590d18
          +                Download the CA certificate. Alternatively, if the host is also an IdM client, you can find the certificate in /etc/ipa/ca.crt.
          590d18
          +            
          590d18
          +            
        2. 590d18
          +                Click the menu button with the Customize and control Google Chrome tooltip, which is by default in the top right-hand corner of Chrome, and click Settings.
          590d18
          +            
          590d18
          +            
        3. 590d18
          +                Click Show advanced settings to display more options, and then click the Manage certificates button located under the HTTPS/SSL heading.
          590d18
          +            
          590d18
          +            
        4. 590d18
          +                In the Authorities tab, click the Import button at the bottom.
          590d18
          +            
          590d18
          +            
        5. Select the CA certificate file that you downloaded in the first step.
        6. 590d18
          +        
          590d18
          +
          590d18
          +        

          590d18
          +            Enable SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to Use Kerberos Authentication
          590d18
          +            in Chrome
          590d18
          +        
          590d18
          +        
            590d18
            +            
          1. 590d18
            +                Make sure you have the necessary directory created by running:
            590d18
            +                
            590d18
            +                    [root@client]# mkdir -p /etc/opt/chrome/policies/managed/
            590d18
            +                
            590d18
            +            
            590d18
            +            
          2. 590d18
            +                Create a new /etc/opt/chrome/policies/managed/mydomain.json file with write privileges limited to the system administrator or root, and include the following line:
            590d18
            +                
            590d18
            +                    { "AuthServerWhitelist": "*.example.com." }
            590d18
            +                
            590d18
            +                
            590d18
            +                    You can do this by running:
            590d18
            +                
            590d18
            +                
            590d18
            +                    [root@server]# echo '{ "AuthServerWhitelist": "*.example.com." }' > /etc/opt/chrome/policies/managed/mydomain.json
            590d18
            +                
            590d18
            +            
            590d18
            +        
            590d18
            +
            590d18
            +        

            Internet Explorer

            590d18
            +        

            590d18
            +            Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.
            590d18
            +        

            590d18
            +        

            590d18
            +            Login to the Windows machine using an account of your Kerberos realm (administrative domain)
            590d18
            +        

            590d18
            +        

            590d18
            +            In Internet Explorer, click Tools, and then click Internet Options.
            590d18
            +        

            590d18
            +        
            590d18
            +            
              590d18
              +                
            1. Click the Security tab
            2. 590d18
              +                
            3. Click Local intranet
            4. 590d18
              +                
            5. Click Sites
            6. 590d18
              +                
            7. Click Advanced
            8. 590d18
              +                
            9. Add your domain to the list
            10. 590d18
              +            
              590d18
              +            
                590d18
                +                
              1. Click the Security tab
              2. 590d18
                +                
              3. Click Local intranet
              4. 590d18
                +                
              5. Click Custom Level
              6. 590d18
                +                
              7. Select Automatic logon only in Intranet zone
              8. 590d18
                +            
                590d18
                +
                590d18
                +            
                  590d18
                  +                
                1. Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)
                2. 590d18
                  +                
                3. You are all set.
                4. 590d18
                  +            
                  590d18
                  +        
                  590d18
                  +
                  590d18
                       
                  590d18
                       
                  590d18
                       
                  590d18
                  -- 
                  590d18
                  2.4.3
                  590d18