Intranet/Intranet Client Configuration

From mediawiki.org

MediaWiki is accessed via a web browser and clients may need some configuration changes to work properly with the Intranet as documented here. Assuming that the wiki is using a TLS certificate that is signed by a trusted certificate authority then the client system must also trust that CA. IE, Chrome and Chromium will use the Windows trust store which should include Enterprise CAs. Firefox on Windows does not yet but has support for it which is disabled by default and we show how to enable it. All clients must be "domain joined". You can check that you have valid Kerberos tickets on both Windows and Linux with the klist command.

NOTE: Browsers are constantly changing and these notes are getting on a bit. Firefox and Chrome/Chromium have GPOs these days on Windows (search for details). I'll update this lot soonish!

IE[edit]

Configuring Internet Explorer for Automatic Logon [1]

Firefox[edit]

Manual configuration[edit]

On both Windows and Linux, about:config (note leading dot in the domain name) and search for and set these options:

security.enterprise_roots.enabled = true
network.negotiate-auth.trusted-uris = .example.co.uk

Group Policy[edit]

Create two files [2] Be careful with the extension - .js or .cfg. Both files must have a // comment in the first line. The obscure_value option can be used to obscure the settings applied, setting it to 0 means that you can read the settings in about:config.

enable_local_policy.js:

// Enable site local Firefox policy
pref("general.config.filename", "local_policy.cfg");
pref("general.config.obscure_value", 0);

local_policy.cfg:

// Site local Firefox policy
pref("security.enterprise_roots.enabled", true);
pref("network.negotiate-auth.trusted-uris", ".example.co.uk");

Copy the two files to a central location that is accessible to all client PCs. One possibility is \\example.co.uk\SYSVOL\example.co.uk\firefox , that is use the SYSVOL share on your domain controllers. These files are tiny so there should be no problems.

Create a Group Policy object or edit an existing one and create two File items:

Group Policy: Computer Configuration -> Preferences -> Windows Settings - Files
Name Order Action Source Target
enable_local_policy.js 1 Update \\example.co.uk\sysvol\example.co.uk\Firefox\enable_local_policy.js C:\Program Files (x86)\Mozilla Firefox\defaults\pref\enable_local_policy.js
local_policy.cfg 2 Update \\example.co.uk\sysvol\example.co.uk\Firefox\local_policy.cfg C:\Program Files (x86)\Mozilla Firefox\local_policy.cfg

Chrome and Chromium[edit]

Group Policy[edit]

For Windows, Google provides group policy extensions which can be used to enable the settings.

Linux [3][edit]

Create a directory to hold settings. The first one is for Chrome and the second one is for Chromium. You can create one and symlink to it for the other. Note that Chrome is /etc/opt/chrome/ and Chromium is not:

# mkdir -p /etc/opt/chrome/policies/managed
# mkdir -p /etc/chromium/policies/managed

Create a file such as /etc/opt/chrome/policies/managed/local_policy.json:

 {
  "AuthServerAllowlist": ".example.co.uk",
  "AuthNegotiateDelegateAllowlist": ".example.co.uk"
 }

Note that the key names have been changed from eg AuthServerWhiteList to AuthServerAllowList. Google maintain a complete list[4] of policies and settings. Browse to chrome://policy/ in the browser to see which policies are in effect.

References[edit]

  1. https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx - MS Technet: Configuring IE for automatic logon
  2. https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment - Mozilla Enterprise Deployment documentation
  3. https://www.chromium.org/administrators/linux-quick-start Chromium - Linux Quick Start documentation
  4. https://cloud.google.com/docs/chrome-enterprise/policies/ - Google Chrome and Chromium policies