Apr 09 2019 07:54 AM
Chromium supports Integrated Authentication; as well as IE11 and Edge (current), so that users can authenticate to an Intranet server without having to prompt the user to login. Our intranet URLs are specified in IE's Internet Properties as Local Intranet sites. Will the new Edge also allow this functionality?
Apr 09 2019 08:11 AM
@soundman_ok Chrome/Chromium/new Edge all respect the "Automatic Authentication" settings for the Local Intranet Zone (this is one of only two places in Chromium that use Windows Security Zones) by default.
This can be overridden via policy or a command line argument to specify exactly which sites can get automatic authentication.
E.g. if you launch Edge like so:
msedge.exe --auth-server-whitelist="example"
...automatic authentication will occur only for http://example/ and all other sites (even those in the Intranet zone) will require the user manually enter their credentials.
Apr 09 2019 02:27 PM
@Eric_Lawrence Sorry, I've been away from my desk all day. I did try the command line argument, without success. I'll look into this more tomorrow, as I have a feeling a policy might be in place that I am unaware of, since our system administrator has been doing some browser settings testing with Group Policy. Thanks for responding so quickly.
Apr 10 2019 09:24 AM - edited Apr 10 2019 09:25 AM
@ericlaw After further review, authentication is being passed; however delegation is not happening. We pass authentication through to a MS-SQL server. I have used the following to define the delegated whitelist, in addition to the auth-server-whitelist:
msedge.exe --auth-server-whitelist="***.midlandschoice.com" --auth-negotiate-delegatewhitelist="***.midlandschoice.com"
This works fine in Chrome; however, neither Edge nor Chromium seem to want to allow delegation. Am I missing something or is delegation not supported?
Apr 10 2019 11:04 AM
Solution@soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).
Apr 10 2019 11:22 AM
@Eric_Lawrence I have both AuthNegotitateDelegateWhitelist and AuthServerWhitelist policies showing there, which most likely are being applied to my machine through my local Registry. I'll have our admins look into publishing the policy for our entire domain.
Thanks for the help!
May 06 2019 11:02 AM
Yes, this is exactly what we need. Right now, we do this via GPO (see screenshot) in Chrome, or if when needed, we can make this work in Chrome using the Registry change manually. However, in Edge, we can't even find where to put this, as the tree does not exist. I've tried every place I can think of but does not work. I've spoken with a guy on the MS Edge team personally (literally in person last weekend) about the issue. He says that all of Chromium should be working in Edge. So either AuthNegotiateDelegateWhitelist is not working in Edge or I can't find the correct place in the Registry to put it.
May 06 2019 11:36 AM
May 06 2019 11:49 AM
May 29 2019 07:49 PM
Very interested in understanding this as well. Have observed all the same things mentioned by the others in this thread
May 30 2019 06:03 AM
@perrin42 Please provide more specific details of what exactly you're seeing.
May 30 2019 06:21 AM
@Eric_Lawrence We have the policy set in GPO and it shows up in Chrome, but again, this is not working in Edge (Chromium). In fact, in Edge there is no chrome://policy (using that in Edge translates to edge://policy, but does not exist):
It looks like the webpage at edge://policy/ might be having issues, or it may have moved permanently to a new web address.
May 30 2019 05:10 PM
Thanks Eric.
So we have GPO applying policy to Chrome setting AuthServerWhitelist to *.domain1.com and *.domain2.com
Chrome will not prompt for credentials when hitting those domains.
Doing the same in Edge is also great.
Trying it in EdgeDev and these policies are not being observed and credential prompt pops.
Trying your suggested command line does work for EdgeDev which is a great start
msedge.exe --auth-server-whitelist="***.domain1.com" --auth-negotiate-delegatewhitelist="***.domain1.com"
So the questions.
1) How can I apply this in policy rather than command line?
Registry shows we have this path
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge
But you have suggested
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
Well there is nothing set here
2) From the command line how do I list domain2.com to be allowed as well?
May 31 2019 04:38 AM
@perrin42 How are you verifying that the command line is working for you? I just tried it and it does not work us. Our scenario is we do some 2-hop authentication, our IIS server scans folders on a file server using the current user's credentials. Works great in IE and Chrome, but in Edge (Chromium), this does not work. Using either of these command lines, this still fails for us:
msedge.exe --auth-server-whitelist="***.pridedallas.com" --auth-negotiate-delegatewhitelist="***.pridedallas.com"
msedge.exe --auth-server-whitelist="*" --auth-negotiate-delegatewhitelist="*"
Jun 05 2019 12:07 PM
@Eric_Lawrence Will there be a way to set auth whitelists for Edge Mac?
Jun 05 2019 12:28 PM
@Keith Davis --auth-server-whitelist appears to be a supported command line. I do not see any command line argument for --auth-negotiate-delegate-whitelist in the Chromium sources; I do see a profile preference with a similar name:
// Whitelist containing servers Chrome is allowed to do Kerberos delegation // with. const char kAuthNegotiateDelegateWhitelist[] = "auth.negotiate_delegate_whitelist";
Jun 05 2019 01:32 PM
@Keith Davis If I hit an intranet on-premises SharePoint 2010 Teamsite launching EdgeDev normally I get prompted for credentials.
If I launch EdgeDev with the previously mentioned commandline then I am not prompted.
Jun 06 2019 04:25 AM
@Eric_Lawrence I actually did not think that --auth-negotiate-delegate-whitelist was an option, I was going based on previous comments. I know that it works in the Registry, but again, I can't make that work with Edge.
Jun 06 2019 04:27 AM
@perrin42 Ah, yes, that is the result of --auth-server-whitelist, not --auth-negotiate-delegate-whitelist. We don't need the first one, the second one is what need (for 2-hop auth).
Jun 19 2019 06:07 PM
@soundman_ok Rejoice as the policies are coming for GPO
Will make edge://policy reflect the settings set as well.
Includes most of the Chrome settings though it is early days and does not all apply to the DEV builds available at the moment you can start playing now.
Apr 10 2019 11:04 AM
Solution@soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).