The PingFederate Integrated Windows Authentication (IWA) Adapter supports the Kerberos and NTLM authentication protocols, but some browsers need to be configured to utilize them. The following guide will define which settings are necessary in each browser. For Kerberos and NTLM authentication, the PingFederate IWA Adapter utilizes the SPNEGO (Simple and Protected GSS-API Negotiation) mechanism to negotiate either Kerberos or NTLM as the underlying authentication protocol. Each browser below supports SPNEGO, but differences exist that may affect which protocol is negotiated in each instance, due to the combination of browser and OS. Security zones in IE (Tools → Internet Options → Security): By default, any IWA authentication request originating from an Internet host will not be allowed.
It is possible that your plug-ins have been disabled in Safari, and that you need to re-enable them. Choose Safari > Preferences. Click Security. Select the checkbox marked 'Allow Plug-ins'. Enable JavaScript in Safari. Launch Safari from your desktop or Dock. From the main menu at the top of your screen, click Safari and then Preferences Click the Security icon. In the Web content section, ensure that the Enable JavaScript check box has been checked. Close this window.
The default setting is to only allow clients to automatically provide credentials to hosts within the Intranet zone. Sites are considered to be in the Intranet zone: if the connection was established using a UNC path (i.e. Pingsso); the site bypasses the proxy server; or host names that don't contain periods (i.e.
Intranet Zone security settings: Most PingFederate SSO connections will use the fully-qualified domain name (FQDN) in SSO URLs, so it will not be categorized as being in the Intranet zone. As such, the browser must be configured trust the host by adding the PingFederate hostname to the Trusted sites zone.
Here, the default setting is Automatic logon with current user name and password, which implies Kerberos will be used if available, then NTLM. The setting Prompt for user name and password will bypass Kerberos and go straight to NTLM authentication. Even if the IWA Adapter supports Kerberos, the client will not attempt to send a Kerberos token within the Authenticate header. On computers (i.e: servers) with Internet Explorer Enhanced Security Configuration enabled the automatic login behavior will be overridden with a logon prompt. The logon prompt will allow Kerberos and NTLM logon functionality however it will not use the cached credentials from the user login. To configure Internet Explorer to fully support the IWA adapter, within Internet Explorer, choose Tools → Internet Options → click the Security tab → click on Trusted sites →and click Custom level. Scroll all the way to bottom under User Authentication and under Logon, select Automatic logon with current user name and password.
Trusted Sites Zone security settings: Once this is configured click OK, then click on the Sites button under Trusted sites, and insert the PingFederate server's hostname. Optionally, wildcards can be included to trust any host name within the AD domain (i.e. Trusted Sites: The above settings work for domain-joined computers (i.e. Computers with an Active Directory account principal and trust relationship), as well as non-domain-joined computers. For domain-joined computers, an AD user account would need to be logged in, and the Kerberos authentication protocol would be negotiated during SSO.
![How How](/uploads/1/2/5/4/125400761/749758426.png)
In the case of a non-domain-joined computer, the Kerberos protocol ( Negotiate in the WWW-Authenticate header) would not be negotiated, thus a fall back to NTLM. In this case, the user would be prompted for credentials, which they would enter ADEXAMPLE joe and the password to be authenticated.Note: The NetBIOS domain name (ADEXAMPLE in the example above) MUST be used to qualify the user name if: (1) the computer is not joined to an AD domain; or (2) there are multiple AD domains or forests and the user is authenticating over a cross-domain trust (i.e. The user is in DomainA, but the PingFederate NTLM computer account is joined to DomainB). The NTLM protocol assumes the user is logging in to the domain where the PingFederate computer account exists. This is why the user name must be qualified by the domain to function correctly. Also note it is possible to add the PingFederate URL to the Local Intranet zone as an alternative to adding it to the Trusted sites zone. Reasons for this may vary based on the network design of the environment, but setting automatic logon for the Trusted sites zone implies that Negotiate/Authorization credentials may be sent in requests to sites outside of the Intranet Zone.
Firefox Mozilla Firefox supports the SPNEGO authentication protocol, but must be configured to work correctly for Kerberos authentication. Firefox does not use the concept of security zones like Internet Explorer, but will not automatically present Kerberos credentials to any host unless explicitly configured. By default, Firefox rejects all SPNEGO challenges from any Web server, including the IWA Adapter.
Firefox must be configured for a whitelist of sites permitted to exchange SPNEGO protocol messages with the browser. The two settings are: network.negotiate-auth.trusted-uris network.automatic-ntlm-auth.trusted-uris These settings can be defined by: 1. Navigate to the URL about:config in Firefox.
Click the I'll be careful, I promise! In the Search dialog box, search for the above preferences: 3. In each of the preferences, specify any host or domain names, delimited with commas. Please note that domains can wildcarded by specifying a domain suffix with a dot in front (i.e.adexample.pingidentity.com): Just like in Internet Explorer, the computer making the SSO request to the IWA adapter must also be joined to Active Directory (AD) and be logged on with a domain user account. The same goes for Kerberos vs. NTLM negotiation - if the computer is not domain-joined, it will fall back to NTLM. For Firefox running on Mac OS, SPNEGO will negotiate both Kerberos and NTLM if the computer is joined to AD.
On non-domain-joined Mac OS, only NTLM will be selected as a mechanism for SPNEGO. For more information on enabling SPNEGO in Firefox, refer. Chrome Google Chrome in Windows will use the, so configure within Internet Explorer's Tools, Internet Options dialog, or by going to Control Panel and selecting Internet Options within sub-category Network and Internet. For Chrome under Mac OS X, SPNEGO will work without any additional confguration, but will only negotiate to NTLM. It is possible to configure a setting named AuthServerWhitelist to authorize host or domain names for SPNEGO protocol message exchanges. There are a couple ways this can be done: (1) from the command line; or (2) joining Mac OS to AD.
Due to a new issue with the latest MAC OS X Flash Player (Flash Player 25.0.0.148 at the time of this article), users on a Mac using Firefox or Safari web browsers may get a warning when trying to launch the Connect Meeting Add-in. The Flash Player team has identified the issue and it will be resolved with the release of Flash Player 25.0.0.159 for MAC OSX (date of release: April 20, 2017). You can obtain this release of the Flash Player on April 20th by going to:. The error message wording and button options depends on your Mac System Preference - Security & Privacy settings: If you have “ Allow apps downloaded from” set to “ App Store and identified developers“, then you won’t see an OK button (and the Connect Add-in won’t open). MacOS 10.12 (Sierra) Apple has removed the “ Anywhere” option for the ‘ Allow apps downloaded from:’ option in the Security and Privacy settings (though, there is a way around it with terminal commands: ). Depending of the version of Flash Player installed on your MAC, you will may experience different issues when installing the Connect add-in.
For MAC OS X users using Safari or Firefox who currently have an older version of the add-in installed: NOTE: ‘Installed from lighting’ below refers the the workflow of installing he Connect Add-in from within a Connect meeting room. With Flash Player 24 or lower installed. The Connect Add-in installed from lightning works as expected. With Flash Player 25.0.0.127 installed. The Connect Add-in installed from lightning will show the below error/warning and the Connect Add-in update will fail.
With Flash Player 25.0.0.148 installed. The Connect Add-in installed from lightning will show the below error/warning and the Connect Add-in update will be successful. With Flash Player 25.0.0.159 and higher (yet to be released).
The Connect Add-in installed from lightning will NOT show the below error/warning and the Connect Add-in update will be successful. NOTE: Starting with version 9.6 of Connect, the new Connect Add-in 11.9.979.366 will be the required version of the MAC Connect Add-in. You may see the following pop up below in Safari and Firefox for MAC OSX. NOTE: In Chrome browser, you will not encounter this error, as Chrome uses a different version of the Flash Player embedded in the browser.
![How To Allow Adobe On Safari On Os X 10.10.5 How To Allow Adobe On Safari On Os X 10.10.5](/uploads/1/2/5/4/125400761/392792575.jpg)
Depending on your Mac settings, you may see the following prompt when the add-in tries to launch. If you click ‘Open’, it will open up as expected. NOTE: This is the workaround until the new Flash Player with the fix is released. If you are in the situation where add-in will not launch and it’s only opening up in the browser, one way to try to circumvent this issue is to click on the ‘ Help‘ menu in the top right-hand corner and select ‘ Install Adobe Connect Add-in‘. Even if you have already installed the add-in, selecting to reinstall the add-in will toggle the security settings and allow the add-in to launch.
If you continue to experience issue launching the Connect Add-in, please contact the Connect support team for further assistance.