Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0565: Configuring silent authentication for Internet Explorer, Chrome & Firefox browsers

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, App Edition ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: Internet Explorer, Chrome & Mozilla Firefox browsers 


Question: 

How can silent authentication (otherwise known as Integrated Windows Authentication) be configured for Internet Explorer, Chrome and Firefox?


Answer:
 
If enabling silent authentication to work with the Centrify Identity Service, see also the Centrify Cloud Manager Online Help for any additional configuration steps on the cloud side:


Configuring Internet Explorer & Chrome (Windows)
  • Chrome piggy-backs off of Internet Explorer network settings for IWA and so the IE configuration steps below will also apply to Chrome installations as well.
     
  • In all situations, make sure "Integrated Windows Authentication" is enabled in the Control Panel > Internet Options > Advanced tab: Security settings.
     
Understanding Internet Explorer Security Zones
 
For users to be authenticated silently when using Internet Explorer to access an application on an Apache server with Kerberos or NTLM authentication; the Apache server must either be:
  • In the Internet Explorer Local Intranet Security Zone
  • Or be explicitly configured as part of the Local Intranet Security Zone. 
For Internet Explorer (and Chrome), a server is recognized as part of the local intranet security zone in one of two ways:
  1. When the user specifies an URL that is not a fully qualified DNS domain name.
    • For example, when accessing an application with an URL such as http://admin-server/index.html, Internet Explorer interprets this as a site in the local intranet security zone. 
  2. When the user specifies an URL with fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer.
    • For example, when accessing an application with a URL such as http://admin-server.mycompany.com/index.html, Internet Explorer interprets this as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone. 
Depending on whether users log onto Apache applications using a local intranet URL or a fully-qualified path in the URL, silent authentication may require modifying the local intranet security zone in Internet Explorer. 


Modifying the Local Intranet Security Zone
  • If some users log on to Apache applications using a fully-qualified path in the URL, they may need to modify the settings for the local intranet security zone in their Internet Explorer internet options to enable silent authentication. 


Configuring the Local Intranet Security Zone in Internet Explorer
  1. Open the Windows Start menu and search for "Internet Options" (located in the Control Panel)
  2. Click the Security tab > "Local intranet" icon > [ Sites ] button 
  3. Click the [ Advanced ] button to open the add and remove websites dialogue.
  4. Add the URL(s) for any websites to be made part of the local intranet.
    • Wildcards can be used in the site address, for example, *.centrify.com
  5. Click OK to accept the local intranet configuration settings, then OK again to close the Internet Options. 

Once the local intranet security zone in Internet Explorer is configured, Kerberos or NTLM authentication into Apache applications should occur without being prompted to enter a user name and password. 

 



Configuring Firefox (Windows & Mac)

By default, Firefox supports prompted NTLM authentication. To enable silent NTLM authentication, the browser needs to be configured to trust sites. 

Enabling silent authentication in Firefox
  1. Open Firefox and enter about:config into the address bar
  2. Filter the list of parameters by the term: negotiate
  3. Double-click into the following entry:
    • network.negotiate-auth.allow-non-fqdn​
  4. Set this to:
    • true
  5. Firefox also supports negotiated (SPNEGO) authentication, however this feature is not enabled by default. To enable silent SPNEGO authentication in Firefox, set up the list of target URLs in comma-separated format:
    • For example:
    • http://fire.arcade.com,https://fire.arcade.com
  6. Add these into the following about:config parameters:
    • network.negotiate-auth.trusted-uris
    • network.negotiate-auth.delegation-uris

Note: For security reasons, be as restrictive as possible in specifying the comma-separated lists. 




For additional notes on silent authentication in web browsers, see:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.