Internet Explorer, Chrome & Mozilla Firefox browsers Question:
How can silent authentication (otherwise known as Integrated Windows Authentication) be configured for Internet Explorer, Chrome and Firefox?Answer:
If enabling silent authentication to work with the Centrify Identity Service, see also the Centrify Cloud Manager Online Help for any additional configuration steps on the cloud side:
Configuring Internet Explorer & Chrome (Windows)
- Chrome piggy-backs off of Internet Explorer network settings for IWA and so the IE configuration steps below will also apply to Chrome installations as well.
- In all situations, make sure "Integrated Windows Authentication" is enabled in the Control Panel > Internet Options > Advanced tab: Security settings.
Understanding Internet Explorer Security Zones
For users to be authenticated silently when using Internet Explorer to access an application on an Apache server with Kerberos or NTLM authentication; the Apache server must either be:
- In the Internet Explorer Local Intranet Security Zone
- Or be explicitly configured as part of the Local Intranet Security Zone.
For Internet Explorer (and Chrome), a server is recognized as part of the local intranet security zone in one of two ways:
- When the user specifies an URL that is not a fully qualified DNS domain name.
- For example, when accessing an application with an URL such as http://admin-server/index.html, Internet Explorer interprets this as a site in the local intranet security zone.
- When the user specifies an URL with fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer.
- For example, when accessing an application with a URL such as http://admin-server.mycompany.com/index.html, Internet Explorer interprets this as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone.
Depending on whether users log onto Apache applications using a local intranet URL or a fully-qualified path in the URL, silent authentication may require modifying the local intranet security zone in Internet Explorer.
Modifying the Local Intranet Security Zone
- If some users log on to Apache applications using a fully-qualified path in the URL, they may need to modify the settings for the local intranet security zone in their Internet Explorer internet options to enable silent authentication.
Configuring the Local Intranet Security Zone in Internet Explorer
- Open the Windows Start menu and search for "Internet Options" (located in the Control Panel)
- Click the Security tab > "Local intranet" icon > [ Sites ] button
- Click the [ Advanced ] button to open the add and remove websites dialogue.
- Add the URL(s) for any websites to be made part of the local intranet.
- Wildcards can be used in the site address, for example, *.centrify.com.
- Click OK to accept the local intranet configuration settings, then OK again to close the Internet Options.
Configuring Firefox (Windows & Mac)
Once the local intranet security zone in Internet Explorer is configured, Kerberos or NTLM authentication into Apache applications should occur without being prompted to enter a user name and password.
By default, Firefox supports prompted NTLM authentication. To enable silent NTLM authentication, the browser needs to be configured to trust sites.
Enabling silent authentication in Firefox
- Open Firefox and enter about:config into the address bar
- Filter the list of parameters by the term: negotiate
- Double-click into the following entry:
- Set this to:
- Firefox also requires negotiated (SPNEGO) authentication, however this feature is not enabled by default. To enable silent SPNEGO authentication in Firefox, set up the list of target URLs in comma-separated format:
- For example:
- Add these into the following about:config parameters:
Note: For security reasons, be as restrictive as possible in specifying the comma-separated lists.
For additional notes on silent authentication in web browsers, see: