Intranet/Intranet Client Configuration

From MediaWiki.org
Jump to navigation Jump to search

MediaWiki is accessed via a web browser and clients may need some configuration changes to work properly with the Intranet as documented here. Assuming that the wiki is using a TLS certificate that is signed by a trusted certificate authority then the client system must also trust that CA. IE, Chrome and Chromium will use the Windows trust store which should include Enterprise CAs. Firefox on Windows does not yet but has support for it which is disabled by default and we show how to enable it. All clients must be "domain joined". You can check that you have valid Kerberos tickets on both Windows and Linux with the klist command.

IE[edit]

Configuring Internet Explorer for Automatic Logon [1]

Firefox[edit]

Manual configuration[edit]

On both Windows and Linux, about:config (note leading dot in the domain name) and search for and set these options:

security.enterprise_roots.enabled = true
network.negotiate-auth.trusted-uris = .example.co.uk

Group Policy[edit]

Create two files [2] Be careful with the extension - .js or .cfg. Both files must have a // comment in the first line. The obscure_value option can be used to obscure the settings applied, setting it to 0 means that you can read the settings in about:config.

enable_local_policy.js:

// Enable site local Firefox policy
pref("general.config.filename", "local_policy.cfg");
pref("general.config.obscure_value", 0);

local_policy.cfg:

// Site local Firefox policy
pref("security.enterprise_roots.enabled", true);
pref("network.negotiate-auth.trusted-uris", ".example.co.uk");

Copy the two files to a central location that is accessible to all client PCs. One possibility is \\example.co.uk\SYSVOL\example.co.uk\firefox , that is use the SYSVOL share on your domain controllers. These files are tiny so there should be no problems.

Create a Group Policy object or edit an existing one and create two File items:

Group Policy: Computer Configuration -> Preferences -> Windows Settings - Files
Name Order Action Source Target
enable_local_policy.js 1 Update \\example.co.uk\sysvol\example.co.uk\Firefox\enable_local_policy.js C:\Program Files (x86)\Mozilla Firefox\defaults\pref\enable_local_policy.js
local_policy.cfg 2 Update \\example.co.uk\sysvol\example.co.uk\Firefox\local_policy.cfg C:\Program Files (x86)\Mozilla Firefox\local_policy.cfg

Chrome and Chromium[edit]

Group Policy[edit]

For Windows, Google provides group policy extensions which can be used to enable the settings.

Linux [3][edit]

Create a directory to hold settings. The first one is for Chrome and the second one is for Chromium.

# mkdir -p /etc/opt/chrome/policies/managed
# mkdir -p /etc/chromium/policies/managed

Create a file such as /etc/opt/chrome/policies/managed/local_policy.json:

 {
  "AuthServerWhitelist": ".example.co.uk",
  "AuthNegotiateDelegateWhitelist": ".example.co.uk"
 }

References[edit]

  1. https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx - MS Technet: Configuring IE for automatic logon
  2. https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment - Mozilla Enterprise Deployment documentation
  3. https://www.chromium.org/administrators/linux-quick-start Chromium - Linux Quick Start documentation