Forum Discussion

soundman_ok's avatar
soundman_ok
Copper Contributor
Apr 09, 2019
Solved

Integrated Authorization for Intranet Sites

Chromium supports Integrated Authentication; as well as IE11 and Edge (current), so that users can authenticate to an Intranet server without having to prompt the user to login.  Our intranet URLs ar...
  • Eric_Lawrence's avatar
    Eric_Lawrence
    Apr 10, 2019

    soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).

Eric_Lawrence's avatar
Eric_Lawrence
Icon for Microsoft rankMicrosoft
May 30, 2019

perrin42 Please provide more specific details of what exactly you're seeing. 

perrin42's avatar
perrin42
Copper Contributor
May 31, 2019

Eric_Lawrence 

Thanks Eric.

So we have GPO applying policy to Chrome setting AuthServerWhitelist to *.domain1.com and *.domain2.com

Chrome will not prompt for credentials when hitting those domains.

Doing the same in Edge is also great.

Trying it in EdgeDev and these policies are not being observed and credential prompt pops.

 

Trying your suggested command line does work for EdgeDev which is a great start

 

msedge.exe --auth-server-whitelist="***.domain1.com" --auth-negotiate-delegatewhitelist="***.domain1.com"

 

So the questions. 

1) How can I apply this in policy rather than command line?

Registry shows we have this path

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge

But you have suggested

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge

Well there is nothing set here

 

2) From the command line how do I list domain2.com to be allowed as well?

 

 

 

 

  • Keith Davis's avatar
    Keith Davis
    Iron Contributor
    May 31, 2019

    perrin42 How are you verifying that the command line is working for you? I just tried it and it does not work us. Our scenario is we do some 2-hop authentication, our IIS server scans folders on a file server using the current user's credentials. Works great in IE and Chrome, but in Edge (Chromium), this does not work. Using either of these command lines, this still fails for us:

     

    msedge.exe --auth-server-whitelist="***.pridedallas.com" --auth-negotiate-delegatewhitelist="***.pridedallas.com"

     

    msedge.exe --auth-server-whitelist="*" --auth-negotiate-delegatewhitelist="*"

    • perrin42's avatar
      perrin42
      Copper Contributor
      Jun 05, 2019

      Keith Davis If I hit an intranet on-premises SharePoint 2010 Teamsite launching EdgeDev normally I get prompted for credentials.

       

      If I launch EdgeDev with the previously mentioned commandline then I am not prompted.

      • Keith Davis's avatar
        Keith Davis
        Iron Contributor
        Jun 06, 2019

        perrin42 Ah, yes, that is the result of --auth-server-whitelist, not --auth-negotiate-delegate-whitelist. We don't need the first one, the second one is what need (for 2-hop auth).

    • Eric_Lawrence's avatar
      Eric_Lawrence
      Icon for Microsoft rankMicrosoft
      Jun 05, 2019

      Keith Davis --auth-server-whitelist appears to be a supported command line. I do not see any command line argument for --auth-negotiate-delegate-whitelist in the Chromium sources; I do see a profile preference with a similar name:

       

      // Whitelist containing servers Chrome is allowed to do Kerberos delegation
// with.
const char kAuthNegotiateDelegateWhitelist[] =
    "auth.negotiate_delegate_whitelist";

       

      • Keith Davis's avatar
        Keith Davis
        Iron Contributor
        Jun 06, 2019

        Eric_Lawrence I actually did not think that --auth-negotiate-delegate-whitelist was an option, I was going based on previous comments. I know that it works in the Registry, but again, I can't make that work with Edge.

Resources