Intranet/Intranet Client Configuration
MediaWiki is accessed via a web browser and clients may need some configuration changes to work properly with the Intranet as documented here. Assuming that the wiki is using a TLS certificate that is signed by a trusted certificate authority then the client system must also trust that CA. IE, Chrome and Chromium will use the Windows trust store which should include Enterprise CAs. Firefox on Windows does not yet but has support for it which is disabled by default and we show how to enable it. All clients must be "domain joined". You can check that you have valid Kerberos tickets on both Windows and Linux with the klist command.
NOTE: Browsers are constantly changing and these notes are getting on a bit. Firefox and Chrome/Chromium have GPOs these days on Windows (search for details). I'll update this lot soonish!
IE
editConfiguring Internet Explorer for Automatic Logon [1]
Firefox
editManual configuration
editOn both Windows and Linux, about:config (note leading dot in the domain name) and search for and set these options:
security.enterprise_roots.enabled = true
network.negotiate-auth.trusted-uris = .example.co.uk
Group Policy
editCreate two files [2] Be careful with the extension - .js or .cfg. Both files must have a // comment in the first line. The obscure_value option can be used to obscure the settings applied, setting it to 0 means that you can read the settings in about:config.
enable_local_policy.js:
// Enable site local Firefox policy
pref("general.config.filename", "local_policy.cfg");
pref("general.config.obscure_value", 0);
local_policy.cfg:
// Site local Firefox policy
pref("security.enterprise_roots.enabled", true);
pref("network.negotiate-auth.trusted-uris", ".example.co.uk");
Copy the two files to a central location that is accessible to all client PCs. One possibility is \\example.co.uk\SYSVOL\example.co.uk\firefox , that is use the SYSVOL share on your domain controllers. These files are tiny so there should be no problems.
Create a Group Policy object or edit an existing one and create two File items:
| Name | Order | Action | Source | Target |
|---|---|---|---|---|
| enable_local_policy.js | 1 | Update | \\example.co.uk\sysvol\example.co.uk\Firefox\enable_local_policy.js | C:\Program Files (x86)\Mozilla Firefox\defaults\pref\enable_local_policy.js |
| local_policy.cfg | 2 | Update | \\example.co.uk\sysvol\example.co.uk\Firefox\local_policy.cfg | C:\Program Files (x86)\Mozilla Firefox\local_policy.cfg |
Chrome and Chromium
editGroup Policy
editFor Windows, Google provides group policy extensions which can be used to enable the settings.
Create a directory to hold settings. The first one is for Chrome and the second one is for Chromium. You can create one and symlink to it for the other. Note that Chrome is /etc/opt/chrome/ and Chromium is not:
# mkdir -p /etc/opt/chrome/policies/managed
# mkdir -p /etc/chromium/policies/managed
Create a file such as /etc/opt/chrome/policies/managed/local_policy.json:
{
"AuthServerAllowlist": ".example.co.uk",
"AuthNegotiateDelegateAllowlist": ".example.co.uk"
}
Note that the key names have been changed from eg AuthServerWhiteList to AuthServerAllowList. Google maintain a complete list[4] of policies and settings. Browse to chrome://policy/ in the browser to see which policies are in effect.
References
edit- ↑ https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx - MS Technet: Configuring IE for automatic logon
- ↑ https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment - Mozilla Enterprise Deployment documentation
- ↑ https://www.chromium.org/administrators/linux-quick-start Chromium - Linux Quick Start documentation
- ↑ https://cloud.google.com/docs/chrome-enterprise/policies/ - Google Chrome and Chromium policies