Forum Discussion

soundman_ok's avatar
soundman_ok
Copper Contributor
Apr 09, 2019
Solved

Integrated Authorization for Intranet Sites

Chromium supports Integrated Authentication; as well as IE11 and Edge (current), so that users can authenticate to an Intranet server without having to prompt the user to login.  Our intranet URLs ar...
  • Eric_Lawrence's avatar
    Eric_Lawrence
    Apr 10, 2019

    soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).

perrin42's avatar
perrin42
Copper Contributor
May 30, 2019

soundman_ok 

 

Very interested in understanding this as well.  Have observed all the same things mentioned by the others in this thread

  • Eric_Lawrence's avatar
    Eric_Lawrence
    Icon for Microsoft rankMicrosoft
    May 30, 2019

    perrin42 Please provide more specific details of what exactly you're seeing. 

    • perrin42's avatar
      perrin42
      Copper Contributor
      May 31, 2019

      Eric_Lawrence 

      Thanks Eric.

      So we have GPO applying policy to Chrome setting AuthServerWhitelist to *.domain1.com and *.domain2.com

      Chrome will not prompt for credentials when hitting those domains.

      Doing the same in Edge is also great.

      Trying it in EdgeDev and these policies are not being observed and credential prompt pops.

       

      Trying your suggested command line does work for EdgeDev which is a great start

       

      msedge.exe --auth-server-whitelist="***.domain1.com" --auth-negotiate-delegatewhitelist="***.domain1.com"

       

      So the questions. 

      1) How can I apply this in policy rather than command line?

      Registry shows we have this path

      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge

      But you have suggested

      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge

      Well there is nothing set here

       

      2) From the command line how do I list domain2.com to be allowed as well?

       

       

       

       

      • Keith Davis's avatar
        Keith Davis
        Iron Contributor
        May 31, 2019

        perrin42 How are you verifying that the command line is working for you? I just tried it and it does not work us. Our scenario is we do some 2-hop authentication, our IIS server scans folders on a file server using the current user's credentials. Works great in IE and Chrome, but in Edge (Chromium), this does not work. Using either of these command lines, this still fails for us:

         

        msedge.exe --auth-server-whitelist="***.pridedallas.com" --auth-negotiate-delegatewhitelist="***.pridedallas.com"

         

        msedge.exe --auth-server-whitelist="*" --auth-negotiate-delegatewhitelist="*"

    • Keith Davis's avatar
      Keith Davis
      Iron Contributor
      May 30, 2019

      Eric_Lawrence We have the policy set in GPO and it shows up in Chrome, but again, this is not working in Edge (Chromium). In fact, in Edge there is no chrome://policy (using that in Edge translates to edge://policy, but does not exist):

       

      Hmmm… can't reach this page

      It looks like the webpage at edge://policy/ might be having issues, or it may have moved permanently to a new web address.

      ERR_INVALID_URL

Resources