From dc0d09f6e6a5681fa4c4146e6df6872dccc40b68 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Fri, 17 Jul 2015 15:57:30 +0200 Subject: [PATCH] webui: add Kerberos configuration instructions for Chrome * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 Reviewed-By: Martin Basti --- install/html/ssbrowser.html | 111 +++++++++++++++++++++++++++++++------------- 1 file changed, 80 insertions(+), 31 deletions(-) diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html index d90103228150a60bd49e91ea8c64891d53d75d7b..685800e16e6e77c70adf905acfca2996513d1e1d 100644 --- a/install/html/ssbrowser.html +++ b/install/html/ssbrowser.html @@ -54,38 +54,8 @@

Browser Kerberos Setup

-

Internet ExplorerInternet Explorer Configuration

-

- Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer. -

-

- Login to the Windows machine using an account of your Kerberos realm (administrative domain) -

-

- In Internet Explorer, click Tools, and then click Internet Options. -

-
-
    -
  1. Click the Security tab
  2. -
  3. Click Local intranet
  4. -
  5. Click Sites
  6. -
  7. Click Advanced
  8. -
  9. Add your domain to the list
  10. -
-
    -
  1. Click the Security tab
  2. -
  3. Click Local intranet
  4. -
  5. Click Custom Level
  6. -
  7. Select Automatic logon only in Intranet zone
  8. -
- -
    -
  1. Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)
  2. -
  3. You are all set.
  4. -
-
-

FirefoxFirefox Configuration

+

Firefox

You can configure Firefox to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on. @@ -117,6 +87,85 @@ +

Chrome

+ +

+ You can configure Chrome to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on. +

+ +

Import CA Certificate

+
    +
  1. + Download the CA certificate. Alternatively, if the host is also an IdM client, you can find the certificate in /etc/ipa/ca.crt. +
  2. +
  3. + Click the menu button with the Customize and control Google Chrome tooltip, which is by default in the top right-hand corner of Chrome, and click Settings. +
  4. +
  5. + Click Show advanced settings to display more options, and then click the Manage certificates button located under the HTTPS/SSL heading. +
  6. +
  7. + In the Authorities tab, click the Import button at the bottom. +
  8. +
  9. Select the CA certificate file that you downloaded in the first step.
  10. +
+ +

+ Enable SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to Use Kerberos Authentication + in Chrome +

+
    +
  1. + Make sure you have the necessary directory created by running: +
    + [root@client]# mkdir -p /etc/opt/chrome/policies/managed/ +
    +
  2. +
  3. + Create a new /etc/opt/chrome/policies/managed/mydomain.json file with write privileges limited to the system administrator or root, and include the following line: +
    + { "AuthServerWhitelist": "*.example.com." } +
    +
    + You can do this by running: +
    +
    + [root@server]# echo '{ "AuthServerWhitelist": "*.example.com." }' > /etc/opt/chrome/policies/managed/mydomain.json +
    +
  4. +
+ +

Internet Explorer

+

+ Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer. +

+

+ Login to the Windows machine using an account of your Kerberos realm (administrative domain) +

+

+ In Internet Explorer, click Tools, and then click Internet Options. +

+
+
    +
  1. Click the Security tab
  2. +
  3. Click Local intranet
  4. +
  5. Click Sites
  6. +
  7. Click Advanced
  8. +
  9. Add your domain to the list
  10. +
+
    +
  1. Click the Security tab
  2. +
  3. Click Local intranet
  4. +
  5. Click Custom Level
  6. +
  7. Select Automatic logon only in Intranet zone
  8. +
+ +
    +
  1. Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)
  2. +
  3. You are all set.
  4. +
+
+
-- 2.4.3