macos 使用 Google Chrome 或 Safari 在 Mac 上集成 Windows 身份验证 (NTLM)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8616818/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Integrated Windows Auth (NTLM) on a Mac using Google Chrome or Safari
提问by Louis Ricci
An IIS7 Intranet site with Windows Authentication enabled. When hit from Chrome on windows the pass-through authentication works fine (no User / Password prompt), however, Chrome on a Mac you get a prompt. Since the internal network uses CAC/PKI no one has a password.
启用了 Windows 身份验证的 IIS7 Intranet 站点。当 Windows 上的 Chrome 命中时,传递身份验证工作正常(没有用户/密码提示),但是,Mac 上的 Chrome 会收到提示。由于内部网络使用 CAC/PKI,没有人有密码。
I've tried toggling the Windows Authentication on the site to negotiate, but same user/pass prompt.
我已经尝试在站点上切换 Windows 身份验证以进行协商,但是相同的用户/密码提示。
appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']
Anyone know a solution for Chrome on OS X?
有人知道 OS X 上 Chrome 的解决方案吗?
EDIT
编辑
OS X 10.6.8
OS X 10.6.8
Centrify for Mac will be used to authenticate to the (Windows 2008 R2 ActiveDirectory) network via CAC.
Centrify for Mac 将用于通过 CAC 对(Windows 2008 R2 ActiveDirectory)网络进行身份验证。
EDIT 2
编辑 2
There is a proxy setup, but it gets bypassed for local intranet sites, so I don't think it is playing a role.
有一个代理设置,但它被本地 Intranet 站点绕过,所以我认为它不起作用。
Also tried using the --auth-server-whitelistcommand line switch, didn't work.
还尝试使用--auth-server-whitelist命令行开关,没有用。
EDIT 3
编辑 3
SOLUTION
解决方案
open 'Google Chrome.app' --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"
Unfortunately Google Chrome for Mac has no way of specifying command line arguments on every load, so some sort of shell script will need to be made.
不幸的是,Mac 版 Google Chrome 无法在每次加载时指定命令行参数,因此需要制作某种 shell 脚本。
Running the following shell script at log in was the final solution to get around Chrome updates and extra doc icons.
在登录时运行以下 shell 脚本是绕过 Chrome 更新和额外文档图标的最终解决方案。
#!/bin/bash
cd /Applications/Google\ Chrome.app/Contents/MacOS/
if [ -f 'Google Chrome.bin' ];
then
echo "Already Modified"
else
sudo chmod u+wr ./
sudo mv 'Google Chrome' 'Google Chrome.bin'
sudo echo "#!/bin/bash" > "Google Chrome"
sudo echo 'exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.bin --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"' >> "Google Chrome"
sudo chmod a+x 'Google Chrome'
echo "NTLM Will now work in chrome"
fi
采纳答案by one.beat.consumer
This isn't a bug at the moment. The Mac version of Chrome simply does not support/respect Kerberos policies ("Negotiate" Windows Authentication) unless the domain white-listed and the browser fired from the command line. See this link posted 10/31/2011:
目前这不是错误。Mac 版本的 Chrome 根本不支持/尊重 Kerberos 策略(“协商”Windows 身份验证),除非域被列入白名单并且浏览器从命令行启动。请参阅 2011 年 10 月 31 日发布的此链接:
http://code.google.com/p/chromium/issues/detail?id=102339
http://code.google.com/p/chromium/issues/detail?id=102339
It looks like you might be able to permanently white-list a domain though:
不过,您似乎可以将域永久列入白名单:
http://www.google.com/support/forum/p/Chrome/thread?tid=592eb87350d9d528&hl=en
http://www.google.com/support/forum/p/Chrome/thread?tid=592eb87350d9d528&hl=en
Since you have already tried the white-list switch, I looked closer and it is an OSX thing... 10.7 is necessary for the switch to work properly with Chrome. Your 10.6 version won't work without a third party tool like Centrify.
由于您已经尝试过白名单开关,我仔细观察了一下,这是一个 OSX 的东西... 10.7 是该开关与 Chrome 正常工作所必需的。如果没有 Centrify 等第三方工具,您的 10.6 版本将无法运行。
Not a happy answer, but the truth.
不是一个愉快的答案,而是真相。
回答by yuanli
It seems we can do the following configuration in Terminal,
看来我们可以在终端中进行以下配置,
$ defaults write com.google.Chrome AuthServerWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com"
$ defaults write com.google.Chrome AuthSchemes "digest,ntlm,negotiate"
回答by mentat
defaults write com.google.Chrome AuthServerWhitelist '<your domain>'will permanently allow kerberos to a server or set of servers (*.mydomain.local).
defaults write com.google.Chrome AuthServerWhitelist '<your domain>'将永久允许 kerberos 访问一个服务器或一组服务器 (*.mydomain.local)。
回答by edwardsharp
What version of Chrome? This was an active bug, make sure you've got the latest version. It should work...
什么版本的Chrome?这是一个活跃的错误,请确保您拥有最新版本。它应该工作...
