Forum Discussion
Integrated Authorization for Intranet Sites
soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).
Microsoftsoundman_ok Chrome/Chromium/new Edge all respect the "Automatic Authentication" settings for the Local Intranet Zone (this is one of only two places in Chromium that use Windows Security Zones) by default.
This can be overridden via policy or a command line argument to specify exactly which sites can get automatic authentication.
E.g. if you launch Edge like so:
msedge.exe --auth-server-whitelist="example"
...automatic authentication will occur only for http://example/ and all other sites (even those in the Intranet zone) will require the user manually enter their credentials.
@ericlaw After further review, authentication is being passed; however delegation is not happening. We pass authentication through to a MS-SQL server. I have used the following to define the delegated whitelist, in addition to the auth-server-whitelist:
msedge.exe --auth-server-whitelist="***.midlandschoice.com" --auth-negotiate-delegatewhitelist="***.midlandschoice.com"
This works fine in Chrome; however, neither Edge nor Chromium seem to want to allow delegation. Am I missing something or is delegation not supported?
- Eric_Lawrence
soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).
Yes, this is exactly what we need. Right now, we do this via GPO (see screenshot) in Chrome, or if when needed, we can make this work in Chrome using the Registry change manually. However, in Edge, we can't even find where to put this, as the tree does not exist. I've tried every place I can think of but does not work. I've spoken with a guy on the MS Edge team personally (literally in person last weekend) about the issue. He says that all of Chromium should be working in Edge. So either AuthNegotiateDelegateWhitelist is not working in Edge or I can't find the correct place in the Registry to put it.
- Eric_LawrenceEdge reads policies from the keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\
Eric_Lawrence I have both AuthNegotitateDelegateWhitelist and AuthServerWhitelist policies showing there, which most likely are being applied to my machine through my local Registry. I'll have our admins look into publishing the policy for our entire domain.
Thanks for the help!
soundman_ok Rejoice as the policies are coming for GPO
Will make edge://policy reflect the settings set as well.
Includes most of the Chrome settings though it is early days and does not all apply to the DEV builds available at the moment you can start playing now.
