RapidIdentity Product Guide

Group Policy Configuration

Certain configuration changes need to be made on each Windows workstation to support Kerberos Authentication.  Rather than manage these individually, a group policy can be configured to automate that process.

  1. Add your RapidIdentity URL to the Internet Sites list

    1. User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignments List

      1. Set this policy to Enabled

        1. Add an assignment for your RapidIdentity server to Intranet Sites, for example

          1. Value Name: https://my.example.com

          2. Value: 1

  2. Configure a batch script (see template below) to configure Firefox and store it in \\test.local\NETLOGON\kerberos.bat

  3. Set the Group Policy to run this batch script on user logon

    1. Computer Configuration > Policies > Windows Settings > Scripts > Startup

Note

On Windows workstations, Internet Explorer should be configured to "Enable Integrated Windows Authentication." This should be enabled by default, but can be verified by opening Internet Explorer settings and finding the setting on the Advanced tab.

Note

Google Chrome shares Internet Explorer configuration, so no additional configuration should be necessary to enable Google Chrome to use Kerberos Authentication.

@echo off

FOR /F "tokens=*" %%R IN ('dir /B /AD "%APPDATA%\Mozilla\Firefox\Profiles\*.default"') 
    DO CALL:write_settings %%R
GOTO:EOF

:write_settings
>nul DIR "%APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js" /A /B
if ERRORLEVEL 1 GOTO:EOF

REM configure the prefs.js file if it hasn't already been configured
>nul find "my.example.com" %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js || ( 
echo user_pref^("network.negotiate-auth.trusted-uris", "https://my.example.com"^); 
    >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js 
echo user_pref^("network.negotiate-auth.delegation-uris", "https://my.example.com"^); 
    >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js 
echo user_pref^("network.automatic-ntlm-auth.trusted-uris", "https://my.example.com"^); 
    >> %ArapidPPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
)
ATTRIB -A "%APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js"
GOTO:EOF
In this section: