Symptom: When upgrading from ADFS v2.0 to ADFS v3 built natively into Server 2012 R2, I noticed Chrome stopped auto-logging in people when trying to hit the ADFS server from inside the corporate network.
Solution: We need to allow NTLM authentication for the Google Chrome useragent.
- Login to your primary ADFS server
- NOTE: This step is no longer applicable on newer versions of Chrome.
This is only applicable if running extremely old versions of Chrome (v50 or lower) -- the fix has been added in Chrome v51 and higher.
Execute the following command to disable Extended Protection TokenCheck (See notes for what this is at the bottom of this article)
- Set-ADFSProperties –ExtendedProtectionTokenCheck None
- Execute the following command to get the current list of supported user-agents for NTLM authentication
- [System.Collections.ArrayList]$UserAgents = Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
- Execute the following command to inject the user agent into a temporary array of user agents already added to ADFS.
- Execute the following command to commit the change.
- Set-ADFSProperties -WIASupportedUserAgents $UserAgents
- Restart the Active Directory Federation Services service on each of the ADFS farm servers for the changes to take effect. You do not need to make any changes to the proxy servers.
Shout out to Jon Payne in the comments section below for the idea of putting all the values into an ArrayList and then committing the arraylist to ADFS vs adding in all the strings manually.
ExtendedProtectionTokenCheck - Copied directly from technet - Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client's credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients. http://technet.microsoft.com/en-us/library/ee892317.aspx
Synopsis: As more companies shift from Internet Explorer to Google Chrome, the ability to administer certain controls over the web browser from a centralized place becomes increasingly difficult. As such, one of the most sought featured in administering the web browser is the ability to deploy shortcuts to the end users to frequently accessed resources on both the intranet and internet. Luckily, Google has acknowledged the need to be centrally administered in corporate environments using Active Directory and Group Policy to easily complete this task.
- Grab a copy of the Google Chrome ADM/ADMX templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
- Extract the contents of the policy_templates.zip file once you have downloaded it to your local machine.
- Navigate to the windows folder and then navigate into the folder with the template you want to use (in this case, I will be deploying ADMX; read below on which one you should use)
- If you are using computers with an operating system newer than Windows Server 2003 or XP, select the ADMX folder
- If you are using computers with an operating system older than Windows Server 2008 and Vista, select the ADM folder
- If you are using Server 2003, you will use the adm file and follow step 2 below. If you are using Server 2008 and newer, you will use the admx and adml files mentioned in step 1 below.
- If you are running Server 2008 or newer, enter the admx folde rand copy the .adml file from the language folder (en-US for example) to %systemroot%\sysvol\yourdomain\policies\PolicyDefinitions\<ll-cc> (ll-cc being the language specific folder, such as en-US) and copy the .admx file from the root of the admx folder to %systemroot%\sysvol\yourdomain\policies\PolicyDefinitions
- If you are from another region, copy the file to the correct language folder (if it doesn't exist, go ahead and create it).
- If you get an Access Denied prompt, try running Windows Explorer as an Administrator
- If you are running Server 2003 or older, copy the .adm file to your domain controller from the Google\Policy_Templates\adm\<ll-cc> Google folder and complete the following steps to import it:
- Open the Group Policy Object that you want to edit inside of Group Policy Management.
- In the console tree, navigate to Group Policy object/Computer Configuration (or User Configuration)/Administrative Templates and right click on Administrative Templates
- Click Add/Remove Templates.
- Click the Add button and navigate to the .adm file
- More details on this process can be found here: http://technet.microsoft.com/en-us/library/cc739134(v=ws.10).aspx
- Open up Group Policy Management (Start->Administrative Tools->Group Policy Management)
- Right click the Group Policy Object you want, and select Edit...
- Under Computer Configuration->Policies->Administrative Templates, you should now see a Google object. Expand that to find the policies you can deploy.
Here is a screenshot of a few of the policies Google offers (more policies can be found in each of the folders as shown in the screenshot below).
Happy web browsing!
Side notes: The only thing I haven't figured out how to do is successfully deploy bookmarks/favorites to Google Chrome. It appears at this time, it is not possible to do so via Group Policy. If anyone has any ideas on how to achieve this, please leave a comment below; it would be greatly appreciated! 🙂