Kerberos client configuration for Chrome - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

When using Chrome on Windows to access Share, if the command-line switch is not present, the permitted list consists of those servers in the Local Machine or Local Intranet security zone. This is the behavior in Internet Explorer. For example, when the host in the URL includes a “.” character, it is outside the Local Intranet security zone. Treating servers that bypass proxies as being in the Intranet zone is currently not supported.

On Windows, HTTP authentication is achieved by adding the Kerberos delegation server allowlist policy, AuthNegotiateDelegateAllowlist. Note that the AuthNegotiateDelegateAllowlist policy:

  • Specifies the servers that Chrome may delegate to
  • Has a Windows registry location of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AuthNegotiateDelegateAllowlist
  • Has separate multiple server names with commas
  • Allows wildcards (*)
  • If you do not set this policy, Chrome does not delegate user credentials, even if a server is detected as Intranet

To set the AuthNegotiateDelegateAllowlist policy, follow these steps:

  1. Download the Administrative policy template from http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip.
  2. Use the command line, gpedit.msc to open the local group policy management.
  3. In the Group Policy Editor console tree, navigate to Local Computer Policy > Computer Configuration > Administrative Templates.
  4. Right click on Administrative Templates.
  5. Click Add/Remove Templates.
  6. Click the Add button.
  7. Select windows/adm/en-US/chrome.adm from the policy_templates.zip download.
  8. In the Local Computer Policy Editor console tree, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Policies for HTTP Authentication > Kerberos delegation server allowlist.
  9. On the Kerberos delegation server allowlist window, click Enabled.
  10. Specify your Share server name(s) as value in Kerberos delegation server allowlist.
  11. To activate the policy, open Chrome.
  12. Type chrome://policy to list the settings as viewed by Chrome.

When using Chrome on Linux as your client, follow these steps:

  1. Create a ticket on the Linux client.
     kinit -f -p user1
     klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user1@EXAMPLE.FOO
     Valid starting Expires Service principal 14/12/2012 12:10 14/12/2012 22:10 krbtgt/EXAMPLE.FOO@EXAMPLE.FOO renew until 15/12/2012 12:10
    					
  2. To use Alfresco Share, use:
     google-chrome --auth-server-allowlist=madona:8080 --auth-negotiate-delegate-allowlist=madona:8080
    						http://madona:8080/alfresco