Saturday, April 18, 2015

Chrome Windows Integrated Authentication with ADFS 2.0

Method 1

Since Chrome will use primarily IE configurations add the site in Internet Options->Security->Local Intranet->Sites->Advanced (provide the FDQN, using wildcards if required and press Add)

Method 2

If you do not want to use IE settings run the following registry entries

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome]
"AuthServerWhitelist"="fdqn"
"AuthSchemes"="basic,digest,ntlm,negotiate"
"AuthNegotiateDelegateWhitelist"="fdqn"

fdqn can be a single host qualified name (like www.domain.com ) or a full domain (like *domain.com); the wild card syntax is slightly different the one of IE (no dot required!?)

ADFS/SAML Remark

In order to have WIA working against ADFS (at least version 2.0) we have two constraints:

  • Use integrated authentication (in web.config)
  <microsoft.identityServer.web>
    <localAuthenticationTypes>
      <add name="Integrated" page="auth/integrated/" />
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="TlsClient" page="auth/sslclient/" />
...
  • Disable Extended Protection for adsf\ls site (Authentication->Windows Authentication->Advanced Settings, set `Extended Protection' to Off)
IyBNZXRob2QgMQ0KU2luY2UgQ2hyb21lIHdpbGwgdXNlIHByaW1hcmlseSAgSUUgY29uZmlndXJhdGlvbnMgYWRkIHRoZSBzaXRlIGluIGBJbnRlcm5ldCBPcHRpb25zYC0+YFNlY3VyaXR5YC0+YExvY2FsIEludHJhbmV0YC0+YFNpdGVzYC0+YEFkdmFuY2VkYCAocHJvdmlkZSB0aGUgRkRRTiwgdXNpbmcgd2lsZGNhcmRzIGlmIHJlcXVpcmVkIGFuZCBwcmVzcyBgQWRkYCkNCg0KIyBNZXRob2QgMg0KSWYgeW91IGRvIG5vdCB3YW50IHRvIHVzZSBJRSBzZXR0aW5ncyBydW4gdGhlIGZvbGxvd2luZyByZWdpc3RyeSBlbnRyaWVzDQogDQpgYGANCldpbmRvd3MgUmVnaXN0cnkgRWRpdG9yIFZlcnNpb24gNS4wMA0KDQpbSEtFWV9MT0NBTF9NQUNISU5FXFNvZnR3YXJlXFBvbGljaWVzXEdvb2dsZVxDaHJvbWVdDQoiQXV0aFNlcnZlcldoaXRlbGlzdCI9ImZkcW4iDQoiQXV0aFNjaGVtZXMiPSJiYXNpYyxkaWdlc3QsbnRsbSxuZWdvdGlhdGUiDQoiQXV0aE5lZ290aWF0ZURlbGVnYXRlV2hpdGVsaXN0Ij0iZmRxbiINCmBgYA0KDQpgZmRxbmAgY2FuIGJlIGEgc2luZ2xlIGhvc3QgcXVhbGlmaWVkIG5hbWUgKGxpa2Ugd3d3LmRvbWFpbi5jb20gKSBvciBhIGZ1bGwgZG9tYWluIChsaWtlICpkb21haW4uY29tKTsgdGhlIHdpbGQgY2FyZCBzeW50YXggaXMgc2xpZ2h0bHkgZGlmZmVyZW50IHRoZSBvbmUgb2YgSUUgKG5vIGRvdCByZXF1aXJlZCE/KQ0KDQojIEFERlMvU0FNTCBSZW1hcmsNCg0KSW4gb3JkZXIgdG8gaGF2ZSBXSUEgd29ya2luZyBhZ2FpbnN0IEFERlMgKGF0IGxlYXN0IHZlcnNpb24gMi4wKSB3ZSBoYXZlIHR3byBjb25zdHJhaW50czoNCiogVXNlIGludGVncmF0ZWQgYXV0aGVudGljYXRpb24gKGluIHdlYi5jb25maWcpDQpgYGB4bWwNCiAgPG1pY3Jvc29mdC5pZGVudGl0eVNlcnZlci53ZWI+DQogICAgPGxvY2FsQXV0aGVudGljYXRpb25UeXBlcz4NCiAgICAgIDxhZGQgbmFtZT0iSW50ZWdyYXRlZCIgcGFnZT0iYXV0aC9pbnRlZ3JhdGVkLyIgLz4NCiAgICAgIDxhZGQgbmFtZT0iRm9ybXMiIHBhZ2U9IkZvcm1zU2lnbkluLmFzcHgiIC8+DQogICAgICA8YWRkIG5hbWU9IlRsc0NsaWVudCIgcGFnZT0iYXV0aC9zc2xjbGllbnQvIiAvPg0KLi4uDQpgYGANCiogRGlzYWJsZSBFeHRlbmRlZCBQcm90ZWN0aW9uIGZvciBhZHNmXFxscyBzaXRlIChgQXV0aGVudGljYXRpb25gLT5gV2luZG93cyBBdXRoZW50aWNhdGlvbmAtPmBBZHZhbmNlZCBTZXR0aW5nc2AsIHNldCBgRXh0ZW5kZWQgUHJvdGVjdGlvbicgdG8gT2ZmKQ==
Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )