Forum Discussion
Integrated Authorization for Intranet Sites
Chromium supports Integrated Authentication; as well as IE11 and Edge (current), so that users can authenticate to an Intranet server without having to prompt the user to login. Our intranet URLs are specified in IE's Internet Properties as Local Intranet sites. Will the new Edge also allow this functionality?
soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).
33 Replies
Take a look at this:
https://providing.tips/2020/02/13/microsoft-teams-edge-chromium-heres-how-to-get-rid-of-those-annoying-additional-logins/
- Eric_Lawrence
Microsoft
Hrm. It's worth mentioning that adding a URL manually as suggested in that "providing.tips" article turns off the default behavior, which is to respect the Intranet Zone. So, if this URL is in your Intranet zone, it should be authenticating automatically. By setting this policy directly in this way, you're likely to cause yourself a bunch of other problems, because it will ensure that none of your other Intranet URLs automatically authenticate any longer.
https://source.chromium.org/chromium/_/chromium/chromium/src/out/+/0309b2d58b48f0c0dc0bfbe73512b793eff3ff2c:win-Debug/gen/components/policy/proto/chrome_settings_full_runtime.proto;l=2121?originalUrl=https:%2F%2Fcs.chromium.org%2F
Starting in Canary 79.0.307.0, and now also in the Dev channel as of today, this is no longer working for us!
- broken for me too
I know this discussion is focused on Windows but I have the same question/request for Mac. On our company Macs, we have defaults read com.google.Chrome AuthServerWhitelist “*.companyurl.com”
Is there an equivalent for MacOS Edge?
- Eric_Lawrence
Edge on Mac also supports policy. I'd probably start by trying just com.microsoft.Edge.AuthServerWhitelist and if that doesn't work I can ask around.
Eric_Lawrence Thanks. I tried both com.microsoft.Edge and com.google.Edge to set AuthServerWhitelist and it did not stick.
Edit: I take it back. com.microsoft.Edge and com.microsoft.Edge.Canary work fine. I just had some issues with one specific intranet site, but others seem to be taking the SSO just fine.
Very interested in understanding this as well. Have observed all the same things mentioned by the others in this thread
- Eric_Lawrence
perrin42 Please provide more specific details of what exactly you're seeing.
Thanks Eric.
So we have GPO applying policy to Chrome setting AuthServerWhitelist to *.domain1.com and *.domain2.com
Chrome will not prompt for credentials when hitting those domains.
Doing the same in Edge is also great.
Trying it in EdgeDev and these policies are not being observed and credential prompt pops.
Trying your suggested command line does work for EdgeDev which is a great start
msedge.exe --auth-server-whitelist="***.domain1.com" --auth-negotiate-delegatewhitelist="***.domain1.com"
So the questions.
1) How can I apply this in policy rather than command line?
Registry shows we have this path
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge
But you have suggested
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
Well there is nothing set here
2) From the command line how do I list domain2.com to be allowed as well?
- Eric_Lawrence
soundman_ok Chrome/Chromium/new Edge all respect the "Automatic Authentication" settings for the Local Intranet Zone (this is one of only two places in Chromium that use Windows Security Zones) by default.
This can be overridden via policy or a command line argument to specify exactly which sites can get automatic authentication.
E.g. if you launch Edge like so:
msedge.exe --auth-server-whitelist="example"
...automatic authentication will occur only for http://example/ and all other sites (even those in the Intranet zone) will require the user manually enter their credentials.
Eric_Lawrence Will there be a way to set auth whitelists for Edge Mac?
@ericlaw After further review, authentication is being passed; however delegation is not happening. We pass authentication through to a MS-SQL server. I have used the following to define the delegated whitelist, in addition to the auth-server-whitelist:
msedge.exe --auth-server-whitelist="***.midlandschoice.com" --auth-negotiate-delegatewhitelist="***.midlandschoice.com"This works fine in Chrome; however, neither Edge nor Chromium seem to want to allow delegation. Am I missing something or is delegation not supported?
- Eric_Lawrence
soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).
Eric_Lawrence Sorry, I've been away from my desk all day. I did try the command line argument, without success. I'll look into this more tomorrow, as I have a feeling a policy might be in place that I am unaware of, since our system administrator has been doing some browser settings testing with Group Policy. Thanks for responding so quickly.
