SOLVED

Integrated Authorization for Intranet Sites

Copper Contributor

Chromium supports Integrated Authentication; as well as IE11 and Edge (current), so that users can authenticate to an Intranet server without having to prompt the user to login.  Our intranet URLs are specified in IE's Internet Properties as Local Intranet sites.  Will the new Edge also allow this functionality?

33 Replies

@soundman_ok Chrome/Chromium/new Edge all respect the "Automatic Authentication" settings for the Local Intranet Zone (this is one of only two places in Chromium that use Windows Security  Zones) by default.

 

This can be overridden via policy or a command line argument to specify exactly which sites can get automatic authentication.

 

E.g. if you launch Edge like so:

 

   msedge.exe --auth-server-whitelist="example"

 

...automatic authentication will occur only for http://example/ and all other sites (even those in the Intranet zone) will require the user manually enter their credentials.

@Eric_Lawrence  Sorry, I've been away from my desk all day.  I did try the command line argument, without success.  I'll look into this more tomorrow, as I have a feeling a policy might be in place that I am unaware of, since our system administrator has been doing some browser settings testing with Group Policy.  Thanks for responding so quickly. 

@ericlaw After further review, authentication is being passed; however delegation is not happening.  We pass authentication through to a MS-SQL server.  I have used the following to define the delegated whitelist, in addition to the auth-server-whitelist:

msedge.exe --auth-server-whitelist="***.midlandschoice.com" --auth-negotiate-delegatewhitelist="***.midlandschoice.com"

 

This works fine in Chrome; however, neither Edge nor Chromium seem to want to allow delegation.  Am I missing something or is delegation not supported?

best response confirmed by soundman_ok (Copper Contributor)
Solution

@soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).

@Eric_Lawrence I have both AuthNegotitateDelegateWhitelist and AuthServerWhitelist policies showing there, which most likely are being applied to my machine through my local Registry.  I'll have our admins look into publishing the policy for our entire domain.

 

Thanks for the help!

@Eric_Lawrence 

 

Yes, this is exactly what we need. Right now, we do this via GPO (see screenshot) in Chrome, or if when needed, we can make this work in Chrome using the Registry change manually. However, in Edge, we can't even find where to put this, as the tree does not exist. I've tried every place I can think of but does not work. I've spoken with a guy on the MS Edge team personally (literally in person last weekend) about the issue. He says that all of Chromium should be working in Edge. So either AuthNegotiateDelegateWhitelist is not working in Edge or I can't find the correct place in the Registry to put it.

Edge reads policies from the keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\
I've tried putting it there, but it does not work. If Edge is running the complete Chromium code-base, why do these not work?

@soundman_ok 

 

Very interested in understanding this as well.  Have observed all the same things mentioned by the others in this thread

@perrin42 Please provide more specific details of what exactly you're seeing. 

@Eric_Lawrence We have the policy set in GPO and it shows up in Chrome, but again, this is not working in Edge (Chromium). In fact, in Edge there is no chrome://policy (using that in Edge translates to edge://policy, but does not exist):

 

Hmmm… can't reach this page

It looks like the webpage at edge://policy/ might be having issues, or it may have moved permanently to a new web address.

ERR_INVALID_URL

@Eric_Lawrence 

Thanks Eric.

So we have GPO applying policy to Chrome setting AuthServerWhitelist to *.domain1.com and *.domain2.com

Chrome will not prompt for credentials when hitting those domains.

Doing the same in Edge is also great.

Trying it in EdgeDev and these policies are not being observed and credential prompt pops.

 

Trying your suggested command line does work for EdgeDev which is a great start

 

msedge.exe --auth-server-whitelist="***.domain1.com" --auth-negotiate-delegatewhitelist="***.domain1.com"

 

So the questions. 

1) How can I apply this in policy rather than command line?

Registry shows we have this path

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge

But you have suggested

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge

Well there is nothing set here

 

2) From the command line how do I list domain2.com to be allowed as well?

 

 

 

 

@perrin42 How are you verifying that the command line is working for you? I just tried it and it does not work us. Our scenario is we do some 2-hop authentication, our IIS server scans folders on a file server using the current user's credentials. Works great in IE and Chrome, but in Edge (Chromium), this does not work. Using either of these command lines, this still fails for us:

 

msedge.exe --auth-server-whitelist="***.pridedallas.com" --auth-negotiate-delegatewhitelist="***.pridedallas.com"

 

msedge.exe --auth-server-whitelist="*" --auth-negotiate-delegatewhitelist="*"

@Eric_Lawrence  Will there be a way to set auth whitelists for Edge Mac?

@Keith Davis --auth-server-whitelist appears to be a supported command line. I do not see any command line argument for --auth-negotiate-delegate-whitelist in the Chromium sources; I do see a profile preference with a similar name:

 

// Whitelist containing servers Chrome is allowed to do Kerberos delegation
// with.
const char kAuthNegotiateDelegateWhitelist[] =
    "auth.negotiate_delegate_whitelist";

 

@Keith Davis If I hit an intranet on-premises SharePoint 2010 Teamsite launching EdgeDev normally I get prompted for credentials.

 

If I launch EdgeDev with the previously mentioned commandline then I am not prompted.

@Eric_Lawrence I actually did not think that --auth-negotiate-delegate-whitelist was an option, I was going based on previous comments. I know that it works in the Registry, but again, I can't make that work with Edge.

@perrin42 Ah, yes, that is the result of --auth-server-whitelist, not --auth-negotiate-delegate-whitelist. We don't need the first one, the second one is what need (for 2-hop auth).

@soundman_ok Rejoice as the policies are coming for GPO

 

https://techcommunity.microsoft.com/t5/Discussions/Early-preview-of-Microsoft-Edge-group-policies/m-...

 

Will make edge://policy reflect the settings set as well.

Includes most of the Chrome settings though it is early days and does not all apply to the DEV builds available at the moment you can start playing now.

1 best response

Accepted Solutions
best response confirmed by soundman_ok (Copper Contributor)
Solution

@soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).

View solution in original post