Kerberizing Chrome - Managed Preferences

ClassyLee
New Contributor III

I've seen a couple of discussions on JAMF Nation about kerberizing Chrome using command-line switches, MCX, and Chrome's "preference list" and I was hoping someone could help me figure out an issue I'm having or at least verify that I'm not the only one having the problem.

I'm trying to use WGM/MCX (locally while testing) to enable kerberos using the "AuthServerWhitelist" parameter. I can see that the policy policy is being applied to chrome when I type chrome://policy into the browser; however, when I try to go to an internal site I'm prompted for my user ID and password (NTLM Auth).

If I launch chrome using the following string from the command line and try to access the same site I'm not prompted for my credentials and kerberos works as expected:

open -n -a 'Google Chrome.app' --args --auth-server-whitelist="site1,site2,site3"

In order to make sure that MCX policies were working I added another parameter to the policy "AuthSchemes" and enabled "Negotiate,Digest" (leaving NTLM out on purpose).

After refreshing the policy and trying the same site again, I was immediately denied access, since Chrome was forced to not default to NTLM - this tells me that Chrome is reading and enforcing policies fed to it by local MCX.

So I'm left scratching my head wondering why it will not honor or enforce the "AuthServerWhitelist" policy.

Has anyone else experienced this or know how to fix it besides feeding Chrome the white list from the command line at launch?

13 REPLIES 13

jstrauss
Contributor

Bump! How's that for reviving a dead thread. We just pushed this at work. On current versions of Chrome:

defaults write com.google.Chrome AuthServerWhitelist "yourdomain.com"

Here's the script I wrote to push it to Chrome and FF users: http://jeffstrauss.com/?p=1689

Matt
Valued Contributor

Bumping this because the link is dead.

jhbush
Valued Contributor II

Matt
Valued Contributor

SMH! Sites blocked.

Ill check it out when I get home.

Managing Chrome is a nightmare.

jhbush
Valued Contributor II

@Matt

#!/bin/sh

# Add trusted realms to Chrome and Firefox configs
# 2013-09-03 @jestr
#
### REPLACE "yourRealm" with your realm! ###
#
currentUser=`ls -l /dev/console | awk {' print $3 '}`
prefExists=`cat /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js | grep "network.negotiate"`
twPrefExists=`cat /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js | grep "network.negotiate" | grep "yourRealm"`
isFirefoxRunning=`ps ax | grep "Firefox" | grep -v "+"`
# Add realm to Chrome
if [ ! -f /Users/"$currentUser"/Library/Preferences/com.google.Chrome.plist ]; then
  touch /Users/"$currentUser"/Library/Preferences/com.google.Chrome.plist
fi
defaults write /Users/"$currentUser"/Library/Preferences/com.google.Chrome AuthServerWhitelist "yourRealm"
chown "$currentUser":staff /Users/"$currentUser"/Library/Preferences/com.google.Chrome.plist

# Add/append realm to Firefox
if [[ $isFirefoxRunning ]]; then
osascript <<AppleScript
tell application "Finder"
  activate
  display dialog "Firefox is currently running. Firefox must be quit and this policy must be reinitiated for your browsing sessions to be trusted." default button "OK"
end tell
AppleScript
exit 1
elif [[ $prefExists != "" && $twPrefExists == "" ]]; then
  existingRealms=`cat /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js | grep "network.negotiate"| cut -d '"' -f 4`
  updatedRealms="$existingRealms, yourRealm"
  grep -v "network.negotiate" /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js > /tmp/tempKerbFile.js
  echo 'user_pref("network.negotiate-auth.trusted-uris", "'$updatedRealms'");' >> /tmp/tempKerbFile.js
  mv /tmp/tempKerbFile.js /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js
elif [[ $prefExists == "" ]]; then
  cat /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js > /tmp/tempKerbFile.js
  echo 'user_pref("network.negotiate-auth.trusted-uris", "yourRealm");' >> /tmp/tempKerbFile.js
  mv /tmp/tempKerbFile.js /Users/$currentUser/Library/Application Support/Firefox/Profiles/*.default/prefs.js
else
exit 0
fi

Not applicable

I had something similar for FF awhile back, this looks great for Chrome.

Can anyone describe what sites or functions you've Kerberized through the browser and how well things are working?

bentoms
Release Candidate Programs Tester

FWIW, we've done:

Value com.google.Chrome AuthServerWhitelist
*.domain.com

Primarily for our SharePoint farm, as this is now our homepage too.

Matt
Valued Contributor

Has anyone had luck with the Manifest? I uploaded the manifest and setup my changes but its not applying.

jhbush
Valued Contributor II

@Matt][/url I haven't had any luck yet getting this to work. It seems to be the suggested method according to other sites.

Matt
Valued Contributor

I built the pref by hand and then stuck it in the Managed Pref folder. Viola!

jhbush
Valued Contributor II

@Matt it must be something else wrong. I tried a user profile with no luck. The setting is there it's just not being respected.

Matt
Valued Contributor

When I go to about:policy after sticking the plist in the Managed Preference/User fold it shows the setting. If I put the plist in the preferences folder... nothing. Google you make me angry.

bentoms
Release Candidate Programs Tester

Gents,

You should be able to test via defaults,(mind CFPREFSD though).

Also the URL needs to be like *.macmule.com with the sites you need access to being like; mysite.macmule.com