OS

Enable NTLM Login Prompt in Yandex Browser on macOS

Fix 'Unauthorized' error in Yandex Browser on macOS by enabling NTLM authentication prompt for domain auth, like Windows. Use defaults write commands, whitelists, and flags for seamless credential dialog.

1 answer 1 view

How to trigger a login and password prompt for domain authentication in Yandex Browser on macOS, similar to Windows PCs not in the domain?

A web service uses seamless domain authorization. On Windows PCs outside the domain, browsers display a standard login/password dialog allowing entry of domain credentials. However, on macOS in Yandex Browser, no prompt appears; instead, it shows an ‘Unauthorized’ error: ‘This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.’

How can I enable the credential prompt in macOS browsers like it works on Windows?

To get the NTLM authentication prompt in Yandex Browser on macOS—like the login/password dialog on Windows PCs outside the domain—add your server’s domain to the AuthServerWhitelist and enable NTLM schemes via Terminal commands or launch flags. Without this, Chromium-based browsers like Yandex silently fail with “Unauthorized” errors since they skip credential challenges by default. Run defaults write com.yandex.YandexBrowser AuthServerWhitelist '*.yourdomain.com' followed by defaults write com.yandex.YandexBrowser AuthSchemes 'ntlm' (adjust for your domain), then relaunch for the prompt to appear on domain authentication pages.

Contents

Why No Prompt in Yandex Browser on macOS

Ever hit a domain authentication wall in Yandex Browser on your Mac? You navigate to that internal web app expecting the familiar “Enter your credentials” box, but nope—just a curt “Unauthorized” message blaming your browser. This hits hard because Windows handles NTLM or Kerberos/NTLM fallback seamlessly outside the domain, popping a dialog for manual entry like DOMAIN\username.

What’s the culprit? Yandex Browser, built on Chromium, aggressively skips auth challenges unless explicitly told to trust the server. No whitelist? No dice—the browser assumes it’s a phishing trap and bails without asking for your NTLM авторизация creds. On macOS, non-domain-joined machines can’t auto-negotiate Kerberos tickets anyway, so it should drop to NTLM prompt. But defaults block it.

Frustrating, right? The good news: a few Terminal tweaks force Yandex Browser NTLM support, mimicking Windows behavior. Stack Overflow users nailed this years ago, confirming whitelists trigger prompts reliably.

Core Fix: Whitelist and NTLM Schemes

At its heart, NTLM authentication on macOS Yandex Browser needs two flags:

  1. AuthServerWhitelist (or AuthServerAllowlist in newer versions): Tells the browser your domain is safe for credential submission.
  2. AuthSchemes: Forces NTLM (and Negotiate) over defaults, ensuring a prompt when Kerberos fails.

Replace *.yourdomain.com with your exact server host or wildcard—like *.company.local or intranet.yourdomain.com. Wildcards save headaches for subdomains.

Why does this work like Windows? Non-domain Macs lack Kerberos keys, so Negotiate falls back to NTLM—and the whitelist makes the dialog pop. No more silent “your browser doesn’t understand” errors.

Method 1: Defaults Write Commands

Quickest for daily use. Open Terminal and paste these (user-level prefs persist across updates):

defaults write com.yandex.YandexBrowser AuthServerWhitelist '*.yourdomain.com'
defaults write com.yandex.YandexBrowser AuthSchemes 'ntlm,negotiate'

Quit Yandex Browser fully (Cmd + Q), relaunch, and test. Boom—login prompt for domain NTLM should appear.

For broader access, add multiple domains comma-separated: '*.domain1.com,*.domain2.local'. Deep in the Code blog spells it out for Chromium browsers, and it translates directly to Yandex.

Pro tip: Verify with defaults read com.yandex.YandexBrowser | grep Auth. If values stick, you’re golden. Changes apply per-user, no admin rights needed.

Method 2: Launch Flags for Testing

Prefer scripting or quick tests? Modify your launch command. Create an AppleScript or bash alias:

bash
/Applications/Yandex\ Browser.app/Contents/MacOS/Yandex\ Browser --auth-server-whitelist="*.yourdomain.com" --auth-schemes="ntlm,negotiate" --auth-negotiate-delegate-whitelist="*.yourdomain.com"

Save as yandex-ntlm.scpt and run via osascript. This GitHub gist covers Chromium flags spot-on, noting the delegate whitelist helps SPNEGO handshakes.

Great for devs: Automate in a launcher app. Drawback? Flags reset on normal launches—use defaults for permanence.

Enterprise Setup with Policy Files

Running Yandex Browser for Organizations? Official policies lock it in. Create /etc/opt/yandex/browser/policies/managed/auth-policy.json:

json
{
 "AuthServerAllowlist": "*.yourdomain.com",
 "AuthNegotiateDelegateAllowlist": "*.yourdomain.com"
}

Restart Yandex Browser. Yandex’s own SSO docs recommend this—enforces across users, survives updates. For NTLM emphasis, add launch flags or test schemes.

Techmill’s enterprise guide echoes it: Whitelists are mandatory to avoid “Unauthorized” dead-ends.

Testing and Common Pitfalls

Hit the site post-config. Prompt asks for username/password—enter DOMAIN\user or user@domain.com. Still “Unauthorized”? Check:

  • Exact domain match: intranet.company.com != *.company.com if no wildcard.
  • HTTPS vs HTTP: NTLM works over both, but proxies meddle—test direct.
  • Server Keep-Alive: IIS/Apache needs it for multi-challenge NTLM negotiate.
  • Clear cache: Cmd + Shift + Delete in Yandex.

Logs? Launch with --enable-logging --v=1, check ~/Library/Application Support/Yandex Browser/Logs. Errors like “no NTLM support” mean schemes missing.

What if no joy? macOS keychain blocks—run security delete-internet-password for the host.

Alternatives for Other Browsers

Yandex stubborn? Safari needs Directory Utility tweaks (less reliable). Firefox shines:

Go about:config, set network.automatic-ntlm-auth.trusted-uris to *.yourdomain.com. Instant prompt, no flags.

Chrome? Same defaults as Yandex: com.google.Chrome instead. Edge follows suit.

But stick with Yandex Browser tweaks—they’re battle-tested for NTLM on macOS.

Sources

  1. Integrated Windows Auth (NTLM) on a Mac using Google Chrome or Safari - Stack Overflow
  2. How to configure supported browsers for Kerberos and NTLM - GitHub
  3. Setup Yandex Browser for SSO - Browser for Organizations
  4. Browser Setup for Domain Authentication
  5. Enabling Integrated Windows Authentication in Chrome on a Mac

Conclusion

Enabling the NTLM prompt in Yandex Browser on macOS boils down to whitelisting your domain and forcing schemes—defaults write for simplicity, policies for teams. You’ll get that Windows-like dialog for domain authentication, dodging “Unauthorized” forever. Test thoroughly, match domains precisely, and you’re set for seamless access. If issues linger, logs reveal all.

Authors
NeuroAnswers
Author
Verified by moderation
NeuroAnswers
Moderation
Enable NTLM Login Prompt in Yandex Browser on macOS