From dc0d09f6e6a5681fa4c4146e6df6872dccc40b68 Mon Sep 17 00:00:00 2001

From: Petr Vobornik <pvoborni@redhat.com>

Date: Fri, 17 Jul 2015 15:57:30 +0200

Subject: [PATCH] webui: add Kerberos configuration instructions for Chrome

* IE section moved at the end

* Chrome section added

* FF and IE icons removed

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 install/html/ssbrowser.html | 111 +++++++++++++++++++++++++++++++-------------

 1 file changed, 80 insertions(+), 31 deletions(-)

diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html

index d90103228150a60bd49e91ea8c64891d53d75d7b..685800e16e6e77c70adf905acfca2996513d1e1d 100644

--- a/install/html/ssbrowser.html

+++ b/install/html/ssbrowser.html

@@ -54,38 +54,8 @@

         
Browser Kerberos Setup

-        
Internet Explorer Configuration

-        

-            Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.

-        

-        

-            Login to the Windows machine using an account of your Kerberos realm (administrative domain)

-        

-        

-            In Internet Explorer, click Tools, and then click Internet Options.

-        

-        

-            

-                
Click the Security tab

-                
Click Local intranet

-                
Click Sites 

-                
Click Advanced 

-                
Add your domain to the list

-            

-            

-                
Click the Security tab

-                
Click Local intranet

-                
Click Custom Level

-                
Select Automatic logon only in Intranet zone

-            

-

-            

-                
 Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)

-                
 You are all set.

-            

-        

-        
Firefox Configuration

+        
Firefox

             You can configure Firefox to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on.

@@ -117,6 +87,85 @@

+        
Chrome

+

+        

+            You can configure Chrome to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on.

+        

+

+        
Import CA Certificate

+        

+            

+                Download the CA certificate. Alternatively, if the host is also an IdM client, you can find the certificate in /etc/ipa/ca.crt.

+            

+            

+                Click the menu button with the Customize and control Google Chrome tooltip, which is by default in the top right-hand corner of Chrome, and click Settings.

+            

+            

+                Click Show advanced settings to display more options, and then click the Manage certificates button located under the HTTPS/SSL heading.

+            

+            

+                In the Authorities tab, click the Import button at the bottom.

+            

+            
Select the CA certificate file that you downloaded in the first step.

+        

+

+        

+            Enable SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to Use Kerberos Authentication

+            in Chrome

+        

+        

+            

+                Make sure you have the necessary directory created by running:

+                

+                    [root@client]# mkdir -p /etc/opt/chrome/policies/managed/

+                

+            

+            

+                Create a new /etc/opt/chrome/policies/managed/mydomain.json file with write privileges limited to the system administrator or root, and include the following line:

+                

+                    { "AuthServerWhitelist": "*.example.com." }

+                

+                

+                    You can do this by running:

+                

+                

+                    [root@server]# echo '{ "AuthServerWhitelist": "*.example.com." }' > /etc/opt/chrome/policies/managed/mydomain.json

+                

+            

+        

+

+        
Internet Explorer

+        

+            Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.

+        

+        

+            Login to the Windows machine using an account of your Kerberos realm (administrative domain)

+        

+        

+            In Internet Explorer, click Tools, and then click Internet Options.

+        

+        

+            

+                
Click the Security tab

+                
Click Local intranet

+                
Click Sites 

+                
Click Advanced 

+                
Add your domain to the list

+            

+            

+                
Click the Security tab

+                
Click Local intranet

+                
Click Custom Level

+                
Select Automatic logon only in Intranet zone

+            

+

+            

+                
 Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)

+                
 You are all set.

+            

+        

+

-- 

2.4.3