04-09-2019 07:54 AM
04-09-2019 07:54 AM
Chromium supports Integrated Authentication; as well as IE11 and Edge (current), so that users can authenticate to an Intranet server without having to prompt the user to login. Our intranet URLs are specified in IE's Internet Properties as Local Intranet sites. Will the new Edge also allow this functionality?
04-09-2019 08:11 AM
@soundman_ok Chrome/Chromium/new Edge all respect the "Automatic Authentication" settings for the Local Intranet Zone (this is one of only two places in Chromium that use Windows Security Zones) by default.
This can be overridden via policy or a command line argument to specify exactly which sites can get automatic authentication.
E.g. if you launch Edge like so:
...automatic authentication will occur only for http://example/ and all other sites (even those in the Intranet zone) will require the user manually enter their credentials.
04-09-2019 02:27 PM
@ericlaw Sorry, I've been away from my desk all day. I did try the command line argument, without success. I'll look into this more tomorrow, as I have a feeling a policy might be in place that I am unaware of, since our system administrator has been doing some browser settings testing with Group Policy. Thanks for responding so quickly.
04-10-2019 09:24 AM - edited 04-10-2019 09:25 AM
@ericlaw After further review, authentication is being passed; however delegation is not happening. We pass authentication through to a MS-SQL server. I have used the following to define the delegated whitelist, in addition to the auth-server-whitelist:
msedge.exe --auth-server-whitelist="***.midlandschoice.com" --auth-negotiate-delegatewhitelist="***.midlandschoice.com"
This works fine in Chrome; however, neither Edge nor Chromium seem to want to allow delegation. Am I missing something or is delegation not supported?
04-10-2019 11:04 AMSolution
@soundman_ok As far as I can tell, command-line argument support for setting auth-negotiate-delegatewhitelist appears to have been removed from Chrome/Chromium some time ago. It does seem to be available as a policy. Do you know if your admins have set this policy? (It should appear if you visit chrome://policy/ in Chrome).
04-10-2019 11:22 AM
@ericlaw I have both AuthNegotitateDelegateWhitelist and AuthServerWhitelist policies showing there, which most likely are being applied to my machine through my local Registry. I'll have our admins look into publishing the policy for our entire domain.
Thanks for the help!
05-06-2019 11:02 AM
Yes, this is exactly what we need. Right now, we do this via GPO (see screenshot) in Chrome, or if when needed, we can make this work in Chrome using the Registry change manually. However, in Edge, we can't even find where to put this, as the tree does not exist. I've tried every place I can think of but does not work. I've spoken with a guy on the MS Edge team personally (literally in person last weekend) about the issue. He says that all of Chromium should be working in Edge. So either AuthNegotiateDelegateWhitelist is not working in Edge or I can't find the correct place in the Registry to put it.
05-06-2019 11:49 AM
05-30-2019 06:21 AM
@ericlaw We have the policy set in GPO and it shows up in Chrome, but again, this is not working in Edge (Chromium). In fact, in Edge there is no chrome://policy (using that in Edge translates to edge://policy, but does not exist):
It looks like the webpage at edge://policy/ might be having issues, or it may have moved permanently to a new web address.
05-30-2019 05:10 PM
So we have GPO applying policy to Chrome setting AuthServerWhitelist to *.domain1.com and *.domain2.com
Chrome will not prompt for credentials when hitting those domains.
Doing the same in Edge is also great.
Trying it in EdgeDev and these policies are not being observed and credential prompt pops.
Trying your suggested command line does work for EdgeDev which is a great start
msedge.exe --auth-server-whitelist="***.domain1.com" --auth-negotiate-delegatewhitelist="***.domain1.com"
So the questions.
1) How can I apply this in policy rather than command line?
Registry shows we have this path
But you have suggested
Well there is nothing set here
2) From the command line how do I list domain2.com to be allowed as well?
05-31-2019 04:38 AM
@perrin42 How are you verifying that the command line is working for you? I just tried it and it does not work us. Our scenario is we do some 2-hop authentication, our IIS server scans folders on a file server using the current user's credentials. Works great in IE and Chrome, but in Edge (Chromium), this does not work. Using either of these command lines, this still fails for us:
msedge.exe --auth-server-whitelist="***.pridedallas.com" --auth-negotiate-delegatewhitelist="***.pridedallas.com"
msedge.exe --auth-server-whitelist="*" --auth-negotiate-delegatewhitelist="*"
06-05-2019 12:28 PM
@Keith Davis --auth-server-whitelist appears to be a supported command line. I do not see any command line argument for --auth-negotiate-delegate-whitelist in the Chromium sources; I do see a profile preference with a similar name:
// Whitelist containing servers Chrome is allowed to do Kerberos delegation // with. const char kAuthNegotiateDelegateWhitelist = "auth.negotiate_delegate_whitelist";
06-19-2019 06:07 PM
@soundman_ok Rejoice as the policies are coming for GPO
Will make edge://policy reflect the settings set as well.
Includes most of the Chrome settings though it is early days and does not all apply to the DEV builds available at the moment you can start playing now.
06-26-2019 03:43 AM
06-26-2019 07:54 AM - edited 06-27-2019 09:00 AM
Edge on Mac also supports policy. I'd probably start by trying just com.microsoft.Edge.AuthServerWhitelist and if that doesn't work I can ask around.
06-27-2019 12:19 AM - edited 06-27-2019 12:26 AM
@ericlaw Thanks. I tried both com.microsoft.Edge and com.google.Edge to set AuthServerWhitelist and it did not stick.
Edit: I take it back. com.microsoft.Edge and com.microsoft.Edge.Canary work fine. I just had some issues with one specific intranet site, but others seem to be taking the SSO just fine.
06-27-2019 11:29 AM
10-23-2019 04:48 AM
Starting in Canary 79.0.307.0, and now also in the Dev channel as of today, this is no longer working for us!
@mkruger - Thanks. This 'hint' lead me to realize the same is true of AuthNegotiateDelegateWhitelist. Edge Chromium is looking for AuthNegotiateDelegateAllowlist in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge. Once my companie's domain suffix was added to that key in that location, pass-through authentication from chromium Edge through SSRS 2017 to SQL 2017 began to work as expected.