MicroStrategy ONE

Configure Web Browser for Integrated Authentication

Integrated Authentication with Kerberos requires that the browser being used to access MicroStrategy Web be configured to retrieve the currently logged in user from the client machine. The steps for enabling this functionality are different for the certified browsers for MicroStrategy.

Kerberos should already be configured on the MicroStrategy Library server, MicroStrategy Web server, and the MicroStrategy Intelligence server.

Google Chrome on Windows

Chrome reads a key, AuthNegotiateDelegateAllowlist, which configures Chrome to allow certain sites to allow delegation and use Kerberos. The key can be implemented as a policy in a group policy object or added manually in the registry on the client machine where Chrome is installed. To learn more about the policy, see the Google Documentation.

To add the key manually to the registry:

  1. Close any open instances of Chrome
  2. Create a key with the path:

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

  3. Add a new 'String value' named AuthNegotiateDelegateAllowlist.
  4. Populate the value of AuthNegotiateDelegateAllowlist with the host of the MicroStrategy Web site as shown below.
  5. Add a new 'String value' named AuthServerAllowlist.
  6. Populate the value of AuthServerAllowlist with the host of the MicroStrategy Web site as shown below.

    If you are using Chrome 85 or earlier, you should use AuthServerWhitelist and AuthNegotiateDelegateWhitelist instead of AuthServerAllowlist and AuthNegotiateDelegateAllowlist.

Microsoft Edge on Windows

First, you must configure the browser to recognize Negotiate challenges from Web servers configured to use these types of challenges (as they would be if they were protected by Kerberos).

  1. Open the Windows Control Panel and go to Network and Internet > Internet Options.
  2. On the Advanced tab, select Enable Integrated Windows Authentication.
  3. See Troubleshoot Kerberos failures on the Microsoft site for more information.

Second, you must also configure the browser to place the MicroStrategy Web site in a security zone that can serve credentials. For security reasons, Edge only allows Kerberos delegation to sites within the Intranet and Trusted Sites zones. For this reason, if MicroStrategy Web is not automatically detected as belonging to either of these zones, you need to add it to one of these zones manually.

  1. On the Security tab, click Trusted Sites > Sites.

  2. Enter the hostname for MicroStrategy Web and click Add.
  3. Click Close.

Third, within the specified zone, double-check the security settings.

  1. On the Security tab, click Trusted Sites > Custom Level.
  2. Under User Authenticaiton > Logon, confirm that Anonymous logon is not selected. Instead, use a setting that allows the browser to pick up user credentials, as shown below.

Add Your Account in macOS

macOS has built in support for Kerberos. You must add your account for Kerberos authentication using either the Ticket Viewer app or kinit command-line tool.

To add your account in the terminal:

  1. Enter the following command:

    Copy
    $ kinit user_name@REALM_NAME

    user_name@REALM_NAME is your user name and realm name. The realm name is case sensitive.

  2. Enter your password.

    Copy
    user_name@REALM_NAME's Password:
    $

Google Chrome on macOS

  1. Once you Add Your Account in macOS, you must configure Chrome’s AuthServerAllowlist with any domains that require Kerberos authentication.

    Run the following command in the terminal:

    Copy
    $ defaults write com.google.Chrome AuthServerAllowlist mywebsite.domain.com

    mywebsite.domain.com is the domain name you need to access with Kerberos authentication.

  2. You may also need to set AuthNegotiateDelegateAllowlist to ensure Chrome delegates user credentials on Kerberos authentication.

    Copy
    $ defaults write com.google.Chrome AuthNegotiateDelegateAllowlist mywebsite.domain.com

    If you are using Chrome 85 or earlier, you should use AuthServerWhitelist and AuthNegotiateDelegateWhitelist instead of AuthServerAllowlist and AuthNegotiateDelegateAllowlist.

  3. You may need to restart your machine for the changes to take effect.

To learn more about the policies, see Chrome Enterprise policy list.

Microsoft Edge on macOS

  1. For Edge 77 and later, you must configure Edge’s AuthServerAllowlist with any domains that require Kerberos authentication.

    To learn more about the policy, see AuthServerAllowlist on the Microsoft site.

    Run the following command in the terminal:

    Copy
    $ defaults write com.microsoft.Edge AuthServerAllowlist mywebsite.domain.com

    mywebsite.domain.com is the domain name you need to access with Kerberos authentication.

  2. You may also need to set AuthNegotiateDelegateAllowlist to ensure Chrome delegates user credentials on Kerberos authentication.

    Copy
    $ defaults write com.microsoft.Edge AuthNegotiateDelegateAllowlist mywebsite.domain.com
  3. You may need to restart your machine for the changes to take effect.

Mozilla Firefox

Firefox has two flags, network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris, which configure it to trust certain sites to allow delegation and use Kerberos.

  1. Navigate to about:config in the browser.
  2. Find the two flags in the list of configuration settings.
  3. Double-click on each flag and enter the host of the MicroStrategy Web site, as shown below: