Kerberos Ticket Hand-off No Good on Chrome on macOS XRenewing kerberos ticket without user interventionNTLM token sent instead of Kerberos ticketSquid Kerberos/LDAP Active Directory only works on IE not on Firefox and chromeGoogle Chrome and kerberos authentication against ApacheWill IE send a Kerberos ticket if not in a Domain?Get a user's kerberos ticket updated over VPNProxy Kerberos Authentication - Kerberos Service Ticket IssuesConfiguring Google Chrome to Connect to AD Configured with Kerberos and Using ADFSDelegation works on some browsers but not on othersHow to prevent browser password prompts when no Active Directory single-sign-on?
Split into three!
Computing elements of a 1000 x 60 matrix exhausts RAM
Way of refund if scammed?
Sony VAIO Duo 13 Wifi not working on Ubuntu 16.04
If a character has cast the Fly spell on themselves, can they "hand off" to the Levitate spell without interruption?
Singular Integration
Make the `diff` command look only for differences from a specified range of lines
Caught with my phone during an exam
Which are the advantages/disadvantages of includestandalone?
How to tease a romance without a cat and mouse chase?
Why is 'additive' EQ more difficult to use than 'subtractive'?
Is it OK to look at the list of played moves during the game to determine the status of the 50 move rule?
How to become an Editorial board member?
What pc resources are used when bruteforcing?
What is the winged creature on the back of the Mordenkainen's Tome of Foes book?
csname in newenviroment
Can a UK national work as a paid shop assistant in the USA?
Does attacking (or having a rider attack) cancel Charge/Pounce-like abilities?
Shell builtin `printf` line limit?
Why did Nick Fury not hesitate in blowing up the plane he thought was carrying a nuke?
How to test if argument is a single space?
(For training purposes) Are there any openings with rook pawns that are more effective than others (and if so, what are they)?
Is it normal to "extract a paper" from a master thesis?
What is this dime sized black bug with white on the segments near Loveland Colorodao?
Kerberos Ticket Hand-off No Good on Chrome on macOS X
Renewing kerberos ticket without user interventionNTLM token sent instead of Kerberos ticketSquid Kerberos/LDAP Active Directory only works on IE not on Firefox and chromeGoogle Chrome and kerberos authentication against ApacheWill IE send a Kerberos ticket if not in a Domain?Get a user's kerberos ticket updated over VPNProxy Kerberos Authentication - Kerberos Service Ticket IssuesConfiguring Google Chrome to Connect to AD Configured with Kerberos and Using ADFSDelegation works on some browsers but not on othersHow to prevent browser password prompts when no Active Directory single-sign-on?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am implementing Okta as a single-sign on provider in an enterprise environment of about 90 users. One of Okta's features is Desktop Single Sign On - the ability for users to be authenticated with Okta simply by virtue of having logged into their machine and thereby authenticating with the domain. The user simply opens a browser, goes to the company's Okta tenant URL, and they are logged in.
Without this feature, the user would be prompted for their credentials when loading up the Okta tenant URL.
DSSO is accomplished by the browser picking up a Kerberos ticket from the OS that itself is generated when the user authenticates with the Active Directory domain. The browser then hands this ticket back to the server, and the server communicates with the Okta cloud to authenticate the user.
The authentication flow in our environment goes like this:
- User logs into their machine. A kerberos ticket is generated upon login and authentication with the domain.
- User opens their browser, and either tries to access an Okta-protected/integrated app, or goes directly to their Okta portal.
- User is redirected by Okta to our load balancer, which terminates the request at the IWA web app on the web server
- IWA web app challenges the browser for authentication
- Browser grabs the Kerberos ticket from the OS and hands it to the load balancer, which passes it to the IWA web app
- IWA app validates the ticket and fetches user profile from AD
- IWA app generates and digitally signs an SSO token and sends it to the browser
- Browser returns the tokent to Okta via HTML form POST
- Okta completes the sign-in request and returns the user to the app with an SSO token
The process is failing on step 5, and I know this is the case because:
- Chrome prompts the user for NTLM credentials when the Okta tenant URL is requested
- This prompt happens before the IWA web app and the browser is configured properly for DSSO (per the documentation I linked at the beginning)
- The prompt does not happen on Chrome, Firefox, and Internet Explorer on Windows (DSSO works on Windows with Chrome, Firefox, and IE)
- This prompt does not happen in Safari on macOS X, but does happen with Chrome and Firefox in OS X
What I cannot figure out is why Chrome and Firefox are not picking up the Kerberos ticket from the OS in macOS X, but the same browsers in Windows are picking up the ticket without a hitch.
Steps I've tried:
Setting Chrome's whitelist settings with the following terminal
commands (recommended by Okta's documentation):$ defaults write com.google.Chrome AuthServerWhitelist
"*.example.com"$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist
"*.example.com"- Setting Chrome's whitelist settings with SimpleMDM configuration push (this method actually succeeded in pushing the settings to Chrome - proven by going to chrome://policy and seeing the settings)
- Uninstalling anti-virus
- Adding every possible FQDN to the list of servers whitelisted in step 2 - first just the servers we have whitelisted in Windows (because Windows actually works), and then a list of Okta servers recommended by Okta support
I still cannot get this feature to work and I am now trying to figure out if there's a way to troubleshoot the process Chrome uses to pickup the Kerberos ticket from the OS. Some kind of debugger for Chrome's Kerberos ticket pickup mechanism would be great, but I imagine no such thing is available.
mac-osx kerberos google-chrome
asked May 8 at 11:55
user490549user490549
11
add a comment |
I am implementing Okta as a single-sign on provider in an enterprise environment of about 90 users. One of Okta's features is Desktop Single Sign On - the ability for users to be authenticated with Okta simply by virtue of having logged into their machine and thereby authenticating with the domain. The user simply opens a browser, goes to the company's Okta tenant URL, and they are logged in.
Without this feature, the user would be prompted for their credentials when loading up the Okta tenant URL.
DSSO is accomplished by the browser picking up a Kerberos ticket from the OS that itself is generated when the user authenticates with the Active Directory domain. The browser then hands this ticket back to the server, and the server communicates with the Okta cloud to authenticate the user.
The authentication flow in our environment goes like this:
- User logs into their machine. A kerberos ticket is generated upon login and authentication with the domain.
- User opens their browser, and either tries to access an Okta-protected/integrated app, or goes directly to their Okta portal.
- User is redirected by Okta to our load balancer, which terminates the request at the IWA web app on the web server
- IWA web app challenges the browser for authentication
- Browser grabs the Kerberos ticket from the OS and hands it to the load balancer, which passes it to the IWA web app
- IWA app validates the ticket and fetches user profile from AD
- IWA app generates and digitally signs an SSO token and sends it to the browser
- Browser returns the tokent to Okta via HTML form POST
- Okta completes the sign-in request and returns the user to the app with an SSO token
The process is failing on step 5, and I know this is the case because:
- Chrome prompts the user for NTLM credentials when the Okta tenant URL is requested
- This prompt happens before the IWA web app and the browser is configured properly for DSSO (per the documentation I linked at the beginning)
- The prompt does not happen on Chrome, Firefox, and Internet Explorer on Windows (DSSO works on Windows with Chrome, Firefox, and IE)
- This prompt does not happen in Safari on macOS X, but does happen with Chrome and Firefox in OS X
What I cannot figure out is why Chrome and Firefox are not picking up the Kerberos ticket from the OS in macOS X, but the same browsers in Windows are picking up the ticket without a hitch.
Steps I've tried:
Setting Chrome's whitelist settings with the following terminal
commands (recommended by Okta's documentation):$ defaults write com.google.Chrome AuthServerWhitelist
"*.example.com"$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist
"*.example.com"- Setting Chrome's whitelist settings with SimpleMDM configuration push (this method actually succeeded in pushing the settings to Chrome - proven by going to chrome://policy and seeing the settings)
- Uninstalling anti-virus
- Adding every possible FQDN to the list of servers whitelisted in step 2 - first just the servers we have whitelisted in Windows (because Windows actually works), and then a list of Okta servers recommended by Okta support
I still cannot get this feature to work and I am now trying to figure out if there's a way to troubleshoot the process Chrome uses to pickup the Kerberos ticket from the OS. Some kind of debugger for Chrome's Kerberos ticket pickup mechanism would be great, but I imagine no such thing is available.
mac-osx kerberos google-chrome
asked May 8 at 11:55
user490549user490549
11
add a comment |
I am implementing Okta as a single-sign on provider in an enterprise environment of about 90 users. One of Okta's features is Desktop Single Sign On - the ability for users to be authenticated with Okta simply by virtue of having logged into their machine and thereby authenticating with the domain. The user simply opens a browser, goes to the company's Okta tenant URL, and they are logged in.
Without this feature, the user would be prompted for their credentials when loading up the Okta tenant URL.
DSSO is accomplished by the browser picking up a Kerberos ticket from the OS that itself is generated when the user authenticates with the Active Directory domain. The browser then hands this ticket back to the server, and the server communicates with the Okta cloud to authenticate the user.
The authentication flow in our environment goes like this:
- User logs into their machine. A kerberos ticket is generated upon login and authentication with the domain.
- User opens their browser, and either tries to access an Okta-protected/integrated app, or goes directly to their Okta portal.
- User is redirected by Okta to our load balancer, which terminates the request at the IWA web app on the web server
- IWA web app challenges the browser for authentication
- Browser grabs the Kerberos ticket from the OS and hands it to the load balancer, which passes it to the IWA web app
- IWA app validates the ticket and fetches user profile from AD
- IWA app generates and digitally signs an SSO token and sends it to the browser
- Browser returns the tokent to Okta via HTML form POST
- Okta completes the sign-in request and returns the user to the app with an SSO token
The process is failing on step 5, and I know this is the case because:
- Chrome prompts the user for NTLM credentials when the Okta tenant URL is requested
- This prompt happens before the IWA web app and the browser is configured properly for DSSO (per the documentation I linked at the beginning)
- The prompt does not happen on Chrome, Firefox, and Internet Explorer on Windows (DSSO works on Windows with Chrome, Firefox, and IE)
- This prompt does not happen in Safari on macOS X, but does happen with Chrome and Firefox in OS X
What I cannot figure out is why Chrome and Firefox are not picking up the Kerberos ticket from the OS in macOS X, but the same browsers in Windows are picking up the ticket without a hitch.
Steps I've tried:
Setting Chrome's whitelist settings with the following terminal
commands (recommended by Okta's documentation):$ defaults write com.google.Chrome AuthServerWhitelist
"*.example.com"$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist
"*.example.com"- Setting Chrome's whitelist settings with SimpleMDM configuration push (this method actually succeeded in pushing the settings to Chrome - proven by going to chrome://policy and seeing the settings)
- Uninstalling anti-virus
- Adding every possible FQDN to the list of servers whitelisted in step 2 - first just the servers we have whitelisted in Windows (because Windows actually works), and then a list of Okta servers recommended by Okta support
I still cannot get this feature to work and I am now trying to figure out if there's a way to troubleshoot the process Chrome uses to pickup the Kerberos ticket from the OS. Some kind of debugger for Chrome's Kerberos ticket pickup mechanism would be great, but I imagine no such thing is available.
mac-osx kerberos google-chrome
asked May 8 at 11:55
user490549user490549
11
I am implementing Okta as a single-sign on provider in an enterprise environment of about 90 users. One of Okta's features is Desktop Single Sign On - the ability for users to be authenticated with Okta simply by virtue of having logged into their machine and thereby authenticating with the domain. The user simply opens a browser, goes to the company's Okta tenant URL, and they are logged in.
Without this feature, the user would be prompted for their credentials when loading up the Okta tenant URL.
DSSO is accomplished by the browser picking up a Kerberos ticket from the OS that itself is generated when the user authenticates with the Active Directory domain. The browser then hands this ticket back to the server, and the server communicates with the Okta cloud to authenticate the user.
The authentication flow in our environment goes like this:
- User logs into their machine. A kerberos ticket is generated upon login and authentication with the domain.
- User opens their browser, and either tries to access an Okta-protected/integrated app, or goes directly to their Okta portal.
- User is redirected by Okta to our load balancer, which terminates the request at the IWA web app on the web server
- IWA web app challenges the browser for authentication
- Browser grabs the Kerberos ticket from the OS and hands it to the load balancer, which passes it to the IWA web app
- IWA app validates the ticket and fetches user profile from AD
- IWA app generates and digitally signs an SSO token and sends it to the browser
- Browser returns the tokent to Okta via HTML form POST
- Okta completes the sign-in request and returns the user to the app with an SSO token
The process is failing on step 5, and I know this is the case because:
- Chrome prompts the user for NTLM credentials when the Okta tenant URL is requested
- This prompt happens before the IWA web app and the browser is configured properly for DSSO (per the documentation I linked at the beginning)
- The prompt does not happen on Chrome, Firefox, and Internet Explorer on Windows (DSSO works on Windows with Chrome, Firefox, and IE)
- This prompt does not happen in Safari on macOS X, but does happen with Chrome and Firefox in OS X
What I cannot figure out is why Chrome and Firefox are not picking up the Kerberos ticket from the OS in macOS X, but the same browsers in Windows are picking up the ticket without a hitch.
Steps I've tried:
Setting Chrome's whitelist settings with the following terminal
commands (recommended by Okta's documentation):$ defaults write com.google.Chrome AuthServerWhitelist
"*.example.com"$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist
"*.example.com"- Setting Chrome's whitelist settings with SimpleMDM configuration push (this method actually succeeded in pushing the settings to Chrome - proven by going to chrome://policy and seeing the settings)
- Uninstalling anti-virus
- Adding every possible FQDN to the list of servers whitelisted in step 2 - first just the servers we have whitelisted in Windows (because Windows actually works), and then a list of Okta servers recommended by Okta support
I still cannot get this feature to work and I am now trying to figure out if there's a way to troubleshoot the process Chrome uses to pickup the Kerberos ticket from the OS. Some kind of debugger for Chrome's Kerberos ticket pickup mechanism would be great, but I imagine no such thing is available.
mac-osx kerberos google-chrome
mac-osx kerberos google-chrome
asked May 8 at 11:55
user490549user490549
11
asked May 8 at 11:55
user490549user490549
11
asked May 8 at 11:55
user490549user490549
11
asked May 8 at 11:55
user490549user490549
11
asked May 8 at 11:55
user490549user490549
11
11
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966368%2fkerberos-ticket-hand-off-no-good-on-chrome-on-macos-x%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966368%2fkerberos-ticket-hand-off-no-good-on-chrome-on-macos-x%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
