Configuring Google Chrome to Connect to AD Configured with Kerberos and Using ADFS

Question

I'm trying to configure Google Chrome (and Firefox) to authenticate using Active Directory tunneled through ADFS SAML/Kerberos Endpoints and an Apache application using Shibboleth. Here are some settings I have inside each machine.

Active Directory Setting: I am using an Active Directory User Account configured with Kerberos DES Encryption and also have Kerberos preauthentication in Windows Server 2012 r2.

IE Setting: The IE Security Setting for Internet and Trusted Sites has User Authentication set to "Automatic logon with current user name and password" (to automatically login Windows current user). The domains for ADFS and the Apache application are added in the allowed sites.

Windows Server 2012 r2 ADFS Setting: The Windows Server 2012 r2 is configured using ADFS with SAML and Kerberos Endpoints enabled.

Shibboleth SP Setting: The Shibboleth SP runs in Apache, and is configured to use SAML.

What's succesfully happening: The Windows user account can successfully login to any Windows 7 Operating System and above using IE9 and latest. There are no prompts once the Windows user logs in to the Apache application. The Windows user is directed immediately to the Apache Application configured with Shibboleth SP.

What's wrong? Whenever I go to Google Chrome or Firefox, it is not directing immediately to the secure application content page. Instead, it connects the Windows user to an ADFS login screen and login fails (because it seems to be using Kerberos from Active Directory setting, which ADFS does not use on login screen).

Goal: Assuming that Google Chrome takes the security setting from Internet Explorer to use, logging in to the Apache application should work without a hassle.

So, how do I configure Google Chrome properly (or any other configuration) to allow Windows user to login automatically to the Apache application?

Update

Error I get the following error from the Apache application:

openSAML::FatalProfileException at (https://c-app01.contoso.com/Shibboleth.sso/SAML2/POST)

SAML response reported an IdP error.

Error from identity provider: 

    Status: urn:oasis:names:tc:SAML:2.0:status:Responder

Answer 1

There are different configurations for using the "system logon credentials" (Kerberos authentication mechanism) for Chrome and Firefox.

Chrome

To config chrome you need to start the application the following parameter:

• auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server.Example:

chrome --auth-server-whitelist="*aai-logon.domain-a.com"

In the "Login page" can you find the right FQDN:

Example for Login page

Mozilla Firefox

To access the Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser. You need to add the FQDN (fully qualified domain name) of the IdP Server into the list of trusted URIs:

• network.negotiate-auth.trusted-uris - FQDN of the IdP Server.

Example for Configuration

In the "Login page" can you find the right FQDN

Firefox - Advanced configuration

Attention: These options are for "advanced" users only! If your OS do not have a GSSAPI integrated (like some Linux distributions). You can specify which external library you desire with:

• network.negotiate-auth.gsslib - (default: empty) - Specifies a alternate GSSAPI shared library.
• network.negotiate-auth.using-native-gsslib - Inform if the "native"
  (true) or the external (false) GSSAPI library will be used.

Here are other settings concerning negotiate/authentication:

• network.negotiate-auth.delegation-uris (default: empty) - For which FQDN credential delegation will be allowed (trusted).
• network.negotiate-auth.allow-proxies (default: true) - Enables proxy authentication using the negotiate method.
• network.auth.use-sspi (only on Windows, default: true) - Whether to use Microsoft's SSPI library, if disabled use GSSAPI.