summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Vobornik <pvoborni@redhat.com>2015-07-17 15:57:30 +0200
committerMartin Basti <mbasti@redhat.com>2015-07-27 13:50:49 +0200
commita4be844809179ff0a05286606df1487d81a70022 (patch)
treed448a4d3d1c56f1a2ddcd886135da6e5c91d3624
parent5df48d74a0b473f80f728c83b41d7660398a11a4 (diff)
downloadfreeipa-a4be844809179ff0a05286606df1487d81a70022.zip
freeipa-a4be844809179ff0a05286606df1487d81a70022.tar.gz
freeipa-a4be844809179ff0a05286606df1487d81a70022.tar.xz
webui: add Kerberos configuration instructions for Chrome
* IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 Reviewed-By: Martin Basti <mbasti@redhat.com>
-rw-r--r--install/html/ssbrowser.html111
-rw-r--r--install/ui/images/firefox-icon.pngbin6107 -> 0 bytes
-rw-r--r--install/ui/images/ie-icon.pngbin5265 -> 0 bytes
3 files changed, 80 insertions, 31 deletions
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
index d901032..685800e 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -54,38 +54,8 @@
<div class="col-sm-12">
<div class="ssbrowser">
<h1>Browser Kerberos Setup</h1>
- <h2><img alt="Internet Explorer" src="../ui/images/ie-icon.png">Internet Explorer Configuration</h2>
- <p>
- Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.
- </p>
- <p>
- <strong>Login to the Windows machine using an account of your Kerberos realm (administrative domain)</strong>
- </p>
- <p>
- <strong>In Internet Explorer, click Tools, and then click Internet Options.</strong>
- </p>
- <div>
- <ol>
- <li>Click the Security tab</li>
- <li>Click Local intranet</li>
- <li>Click Sites </li>
- <li>Click Advanced </li>
- <li>Add your domain to the list</li>
- </ol>
- <ol>
- <li>Click the Security tab</li>
- <li>Click Local intranet</li>
- <li>Click Custom Level</li>
- <li>Select Automatic logon only in Intranet zone</li>
- </ol>
-
- <ol>
- <li> Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)</li>
- <li><strong> You are all set.</strong></li>
- </ol>
- </div>
- <h2><img alt="Firefox" src="../ui/images/firefox-icon.png">Firefox Configuration</h2>
+ <h2>Firefox</h2>
<p>
You can configure Firefox to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on.
@@ -117,6 +87,85 @@
</li>
</ol>
+ <h2>Chrome</h2>
+
+ <p>
+ You can configure Chrome to use Kerberos for Single Sign-on. The following instructions will guide you in configuring your web browser to send your Kerberos credentials to the appropriate Key Distribution Center which enables Single Sign-on.
+ </p>
+
+ <h3>Import CA Certificate</h3>
+ <ol>
+ <li>
+ Download the <a href="ca.crt">CA certificate</a>. Alternatively, if the host is also an IdM client, you can find the certificate in /etc/ipa/ca.crt.
+ </li>
+ <li>
+ Click the menu button with the <em>Customize and control Google Chrome</em> tooltip, which is by default in the top right-hand corner of Chrome, and click <em>Settings</em>.
+ </li>
+ <li>
+ Click <em>Show advanced settings</em> to display more options, and then click the <em>Manage certificates</em> button located under the HTTPS/SSL heading.
+ </li>
+ <li>
+ In the <em>Authorities</em> tab, click the <em>Import</em> button at the bottom.
+ </li>
+ <li>Select the CA certificate file that you downloaded in the first step.</li>
+ </ol>
+
+ <h3>
+ Enable SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to Use Kerberos Authentication
+ in Chrome
+ </h3>
+ <ol>
+ <li>
+ Make sure you have the necessary directory created by running:
+ <div><code>
+ [root@client]# mkdir -p /etc/opt/chrome/policies/managed/
+ </code></div>
+ </li>
+ <li>
+ Create a new <code>/etc/opt/chrome/policies/managed/mydomain.json</code> file with write privileges limited to the system administrator or root, and include the following line:
+ <div><code>
+ { "AuthServerWhitelist": "*<span class="example-domain">.example.com.</span>" }
+ </code></div>
+ <div>
+ You can do this by running:
+ </div>
+ <div><code>
+ [root@server]# echo '{ "AuthServerWhitelist": "*<span class="example-domain">.example.com.</span>" }' > /etc/opt/chrome/policies/managed/mydomain.json
+ </code></div>
+ </li>
+ </ol>
+
+ <h2>Internet Explorer</h2>
+ <p>
+ Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.
+ </p>
+ <p>
+ <strong>Login to the Windows machine using an account of your Kerberos realm (administrative domain)</strong>
+ </p>
+ <p>
+ <strong>In Internet Explorer, click Tools, and then click Internet Options.</strong>
+ </p>
+ <div>
+ <ol>
+ <li>Click the Security tab</li>
+ <li>Click Local intranet</li>
+ <li>Click Sites </li>
+ <li>Click Advanced </li>
+ <li>Add your domain to the list</li>
+ </ol>
+ <ol>
+ <li>Click the Security tab</li>
+ <li>Click Local intranet</li>
+ <li>Click Custom Level</li>
+ <li>Select Automatic logon only in Intranet zone</li>
+ </ol>
+
+ <ol>
+ <li> Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)</li>
+ <li><strong> You are all set.</strong></li>
+ </ol>
+ </div>
+
</div>
</div>
</div>
diff --git a/install/ui/images/firefox-icon.png b/install/ui/images/firefox-icon.png
deleted file mode 100644
index ca149a4..0000000
--- a/install/ui/images/firefox-icon.png
+++ /dev/null
Binary files differ
diff --git a/install/ui/images/ie-icon.png b/install/ui/images/ie-icon.png
deleted file mode 100644
index 52f7a83..0000000
--- a/install/ui/images/ie-icon.png
+++ /dev/null
Binary files differ