Search code examples
macosgoogle-chromeiis-7ntlm

Integrated Windows Auth (NTLM) on a Mac using Google Chrome or Safari

An IIS7 Intranet site with Windows Authentication enabled. When hit from Chrome on windows the pass-through authentication works fine (no User / Password prompt), however, Chrome on a Mac you get a prompt. Since the internal network uses CAC/PKI no one has a password.

I've tried toggling the Windows Authentication on the site to negotiate, but same user/pass prompt.

appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']

Anyone know a solution for Chrome on OS X?

EDIT

OS X 10.6.8

Centrify for Mac will be used to authenticate to the (Windows 2008 R2 ActiveDirectory) network via CAC.

EDIT 2

There is a proxy setup, but it gets bypassed for local intranet sites, so I don't think it is playing a role.

Also tried using the --auth-server-whitelist command line switch, didn't work.

EDIT 3

SOLUTION

open 'Google Chrome.app' --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"

Unfortunately Google Chrome for Mac has no way of specifying command line arguments on every load, so some sort of shell script will need to be made.

Running the following shell script at log in was the final solution to get around Chrome updates and extra doc icons.

#!/bin/bash
cd /Applications/Google\ Chrome.app/Contents/MacOS/
if [ -f 'Google Chrome.bin' ];
then
   echo "Already Modified"
else
   sudo chmod u+wr ./
   sudo mv 'Google Chrome' 'Google Chrome.bin'
   sudo echo "#!/bin/bash" > "Google Chrome"
   sudo echo 'exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.bin --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"' >> "Google Chrome"
   sudo chmod a+x 'Google Chrome'
   echo "NTLM Will now work in chrome"
fi
Solution

  • This isn't a bug at the moment. The Mac version of Chrome simply does not support/respect Kerberos policies ("Negotiate" Windows Authentication) unless the domain white-listed and the browser fired from the command line. See this link posted 10/31/2011:

    http://code.google.com/p/chromium/issues/detail?id=102339

    It looks like you might be able to permanently white-list a domain though:

    http://www.google.com/support/forum/p/Chrome/thread?tid=592eb87350d9d528&hl=en

    Since you have already tried the white-list switch, I looked closer and it is an OSX thing... 10.7 is necessary for the switch to work properly with Chrome. Your 10.6 version won't work without a third party tool like Centrify.

    Not a happy answer, but the truth.