Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbered Headings

Overview

All recent versions of Chrome are generally compatible with Moonshot.

On Windows, Chrome is integrated with the Windows Security Support Provider Interface (SSPI) and requires the Moonshot SSP.

macOS support is currently in development, you must currently use the .gss_eap_id file in your home directory. See the macOS Compatibility List for more details.

Compatibility

Key

In the tables below, the following icons have the following meanings:

  • (tick) - This version of the software has been tested and verified as supporting Moonshot.
  • (error) - This version of the software has been tested and verified as not supporting Moonshot.
  • (question) - This version of the software has not yet been tested thoroughly and its status is not known. Let us know if you have tried it and whether it worked or not!

Compatibility List

Note that accessing supported versions of this software requires a Moonshot compatible client - see the next section for details on which clients are supported.

Note

Any versions not listed below have not yet been tested. If you do so, please let us know!

VersionCompatible?Notes

Chrome v22 and later

(tick)When running on Windows, Linux, or macOS

Installation Instructions

This software does not require any special installation instructions - install it as you normally would.

Configuration Instructions

For security reasons, Google Chrome disables the Negotiate protocol, which it refers to as Integrated Authentication, for sites outside a specific whitelist of sites. For more information on how Chrome manages HTTP Authentication, see https://www.chromium.org/developers/design-documents/http-authentication.

Windows

On Windows, Google Chrome uses Internet Explorer's Local Intranet zone as its whitelist for sites. To use Integrated Authentication, add your site to the Local Intranet zone.

For more information on the Local Intranet zone and how to add and remove sites from this zone, visit Microsoft's Change Internet Explorer Security settings.

The Windows version of Google Chrome does support a per-user exception list.

Linux

On Linux, Google Chrome uses a JSON file to define the whitelist of sites. This file is stored in /etc/opt/chrome/policies/managed or /etc/opt/chrome/policies/recommended and may be any file with a .json extension. The format of the file is:

Code Block
{
    "AuthServerWhitelist": "*.example.org, *.example2.com",
    "AuthNegotiateDelegateWhitelist": "*.example.org, *.example3.net" 
}

The Linux versions of Google Chrome and Chromium do not support a per-user exception list.

These parameters can be set on the command line as  --auth-server-whitelist and --auth-negotiate-delegate-whitelist

macOS

On macOS, Google Chrome uses the macOS property list (.plist) file define the whitelist of sites. This file is stored in ~/Library/Preferences/com.google.Chrome.plist. As with Linux, the two settings that control the Negotiate protocol are:

Code Block
{
    "AuthServerWhitelist": "*.example.org, *.example2.com",
    "AuthNegotiateDelegateWhitelist": "*.example.org, *.example3.net" 
}

To set the values, use the following command:

Code Block
languagebash
macOS-Host:~ localuser$ defaults write com.google.Chrome AuthServerWhitelist -string "*.example.org, *.example2.com"
macOS-Host:~ localuser$ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist -string "*.example.org, *.example3.net"

To display currently set values of the AuthServerWhitelist and AuthServerDelegateWhitelist AuthNegotiateDelegateWhitelist settings, use the following command:

Code Block
languagebash
macOS-Host:~ localuser$ defaults read com.google.Chrome AuthNegotiateDelegateWhitelist
*.example.org, *.example3.net
macOS-Host:~ localuser$
Note
titlemacOS version compatibility

It appears that versions other than El Capitan will not load the Moonshot mechanism in Chrome (due to Apple's sandboxing). We're trying to investigate this issue.

 

Credential Storage

Note
titleCredential Storage

You can also store the credentials in Chrome's own website password list, but this is not recommended as it is less secure.

For more information on how to manage your credentials in Google Chrome, visit Google's Manage your website passwords page.

Windows

On Windows, you may store the website credentials in the Windows Credential Manager before you try to connect to the website. For more information on storing credentials in the Credential Manager, see Section 2.2 of the Windows Credential Manager page.

Linux

On Linux you should use the Moonshot Identity Selector.

macOS

macOS support is currently in development, you must currently use the .gss_eap_id file in your home directory. See the macOS Compatibility List for more details.

Server Compatibility

The following servers are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that server):