6.6.6. Single Sign-On¶
Single Sign-On (SSO) is an additional feature of Active Directory that allows users to log in to Windows once, and then login to MediaWorks DX directly from a URL or by checking a box on the login prompt. The recorder will check with the domain for authentication and log the current Windows user into the system.
For users to log in with SSO, it must be enabled on the recorder. Enabling or disabling SSO will require a recorder reboot to take effect.
To use SSO the recorder must have a fully qualified domain name (FQDN), such as NLRecorder.contoso.net because Active Directory authenticates against the FQDN and not an IP address.
Important
The recorder’s AD sAMAccountName MUST be the same as the recorder’s hostname for SSO to work.
If NLRecorder.contoso.net is the URL used to access the recorder, NLRecorder MUST be the recorder service account’s username.
Fig. 6.8 Domain Settings - Single Sign-On¶
To enable SSO, navigate to then check the Enable Single Sign-On checkbox and reboot the recorder. To disable, uncheck the box and reboot.
Single Sign-On support is browser dependent and each browser may have different security configurations to support it. Included in the next sections are configuration options for the most common web browsers.
Note
SSO will also require that the recorder’s FQDN is added to your group policy’s Trusted Sites List.
Go to your Group Policy’s Site to Zone Assignment List and enable the policy setting. Then add your FQDN as a zone assignment. Read the numbered values on the Group Policy Editor to determine which value will work for you.
Fig. 6.9 Site to Zone Assignment List Example¶
6.6.6.1. Brave Browser¶
The Brave browser can be configured by editing the registry directly on a PC, or by deploying the registry change to multiple workstations via Group Policy.
Use HKLM to apply the setting to all users of the PC, or HKCU for specific users. For the value, you can separate multiple server names with commas. Wildcards (*) are allowed.
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\BraveSoftware\Brave |
Value Name | AuthNegotiateDelegateAllowlist |
Value Type | REG_SZ |
Example Value |
|
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\BraveSoftware\Brave |
Value Name | AuthServerAllowlist |
Value Type | REG_SZ |
Example Value |
|
6.6.6.2. Google Chrome¶
Google Chrome can be configured by editing the registry directly on a PC, or by deploying the registry change to multiple workstations via Group Policy.
Use HKLM to apply the setting to all users of the PC, or HKCU for specific users. For the value, you can separate multiple server names with commas. Wildcards (*) are allowed.
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\Google\Chrome |
Value Name | AuthNegotiateDelegateAllowlist |
Value Type | REG_SZ |
Example Value |
|
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\Google\Chrome |
Value Name | AuthServerAllowlist |
Value Type | REG_SZ |
Example Value |
|
6.6.6.3. Microsoft Edge (Chromium)¶
The Chromium based Microsoft Edge browser can be configured by editing the registry directly on a PC, or by deploying the registry change to multiple workstations via Group Policy.
Use HKLM to apply the setting to all users of the PC, or HKCU for specific users. For the value, you can separate multiple server names with commas. Wildcards (*) are allowed.
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\Microsoft\Edge |
Value Name | AuthNegotiateDelegateAllowlist |
Value Type | REG_SZ |
Example Value |
|
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\Microsoft\Edge |
Value Name | AuthServerAllowlist |
Value Type | REG_SZ |
Example Value |
|
6.6.6.4. Mozilla Firefox¶
The Mozilla Firefox browser can be configured by editing the registry directly on a PC, deploying the registry change or Firefox template to multiple workstations via Group Policy, or directly within the Firefox interface.
- Firefox Interface
Open Mozilla Firefox and navigate to the URL:
about:config.If a warning page appears with the message:
Proceed with Caution, clickAccept the Risk and Continue.Locate and double-click on the
network.automatic-ntlm-auth.trusted-uris.In the value field, enter the URL address used to access the recorder (ex.
NLRecorder.contoso.net). For the value, you can separate multiple server names with commas.Click
√.Locate and double-click on the
network.negotiate-auth.trusted-uris.In the value field, enter the URL address used to access the recorder (ex.
NLRecorder.contoso.net). For the value, you can separate multiple server names with commas.Click
√.Exit and reopen Firefox.
- Firefox Registry
Configuring Firefox via the Windows registry requires an addition to two paths.
Table 6.7 Mozilla Firefox Browser Registry Settings - NTLM¶ Registry Hive
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path
Software\Policies\Mozilla\Firefox\Authentication\NTLM
Value Name
1 (increase number for each entry)
Value Type
REG_SZ
Example Value
NLRecorder.contoso.netTable 6.8 Mozilla Firefox Browser Registry Settings - SPNEGO¶ Registry Hive
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path
Software\Policies\Mozilla\Firefox\Authentication\SPNEGO
Value Name
1 (increase number for each entry)
Value Type
REG_SZ
Example Value
NLRecorder.contoso.net