How-To: setup WIS to work on https on Chrome as well as IE

Version 1

    Details

     

    In some situations you may find that Chrome still presents users with a login prompt box when attempting to use Windows Integrated Security (WIS) as an external login method in combination with https (SSL/port 443) protocol.  This can occur when Internet Explorer behaves properly using the same setup.  This is due to the configuration not being completely right.  Chrome is slightly more particular about the exact settings than IE and this can create confusion as most of the settings chrome uses are base on those in the IE internet options dialogue.

    This resolution is a proof of concept in a lab environment that has the "bare necessities" for this fuctionality and proves that Chrome WIS authentication is possible via https (port 443).

    WIS login method is working from Chrome (Version 46.0.2490.86 m) and Internet Explorer 11 normally after the following steps were preformed.  This was done using a fresh install of HEAT15.1.2 on Windows Server 2012.

     


    Resolution

     

    Setup steps in my lab (may differ for real world environments):
    Generate and install a self-signed certificate (chose to install to local machine, all other import settings at default)

    HEAT configuration:
    Go to HEAT:
    Login to configDB, check tenant login URL (which is the servername by itself "APP2012") and unlock metadata; Save
    Logout of configDB
    Login to HEAT as administrator role
    Go to the Admin UI (Configure application)
    Go to security controls >> Authentication Providers
    add new Windows Integrated provider
       name: WISTest
       Identity Server URL: /HEAT/WIS
       Sort order: 1
       All other settings blank / unchanged
    SAVE
    Now go back to the front end UI
       Go to the Employee workspace
       Pick a valid employee
       Check the "Enable External Auth" box
       Click "Add New..." on "Login for External Auth"
       Type in your windows username (in my lab case "administrator") for the Login field
       Select the Authentication Provider we listed above (in my case "WISTest")
       Click Save on the "New External Login" dialogue
       Click Save on the Employee record
    Logout of HEAT

    In IE >> Internet options
    Go to the Security tab and Trusted Sites section
    Click Sites
      Add "https://app2012" and click close
    Click Custom Level >> set "Automatically login with current username and password" under User Authentication then click OK.  Click Yes on the warning box
    Click Apply, OK
    Close all browsers

    IIS configuration (all other settings in IIS were unchanged from a fresh install on server 2012):
    Open IIS Manager
    Browse to {server} >> Sites >> Default Web Site
    Click bindings on the right actions panel
       Click add
       Switch type to https
       Select the SSL certificate we imported earlier
       Click OK
    click Close

    From a command prompt with administrator rights: IISRESET

    Testing:
    Test in IE:
      Click Continue to this website (not recommended). 
      Click Sign in with WISTest 
    NOTE: in some cases IE will throw additional login dialogue boxes.  These can be dismissed (with the Cancel button) and should not appears thereafter.
      Select a role
      IE login is successful 

    Test in Chrome:
      Click Advanced
      Click Proceed to app2012 (unsafe)
      Chrome login is successful