Integrated Windows Authentication - Microsoft Edge keeps prompting for credentials

%3CLINGO-SUB%20id%3D%22lingo-sub-2040172%22%20slang%3D%22en-US%22%3EIntegrated%20Windows%20Authentication%20-%20Microsoft%20Edge%20keeps%20prompting%20for%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2040172%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22%22%3EGood%20day%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20internal%20https%20website%20running%20IIS%20on%20Windows%20Server%202012%20R2%20with%26nbsp%3BIntegrated%20Windows%20Authentication%20enabled%20and%20Extended%20Protection%20enabled%20at%20the%20site%20level%2C%20and%20because%20we%20use%20SQL%20Server%2C%20that%20is%20also%20enabled%20under%20SQL%20Configuration%20Manager.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChrome%20prompts%20for%20credentials%20only%20once%2C%20IE%20performs%20SSO%2C%20Microsoft%20Edge%20v87.0.664.66%20keeps%20prompting%20for%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20exhausted%20all%20resources%20I%20could%20dig%20on%20google%2C%20to%20list%20a%20few%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2009%2F12%2F08%2Fextended-protection-for-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExtended%20Protection%20for%20Authentication%20%E2%80%93%20Microsoft%20Security%20Response%20Center%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fredmondmag.com%2Farticles%2F2010%2F06%2F28%2Fsql-2008-r2-extended-protection-for-authentication.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Server's%20Extended%20Protection%20--%20Redmondmag.com%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F973917%2Fdescription-of-the-update-that-implements-extended-protection-for-auth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDescription%20of%20the%20update%20that%20implements%20Extended%20Protection%20for%20Authentication%20in%20Internet%20Information%20Services%20(IIS)%20(microsoft.com)%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fcredentials-protection-and-management%2Fconfiguring-additional-lsa-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfiguring%20Additional%20LSA%20Protection%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-nz%2Ftroubleshoot%2Fwindows-server%2Fwindows-security%2Fauthentication-fails-non-windows-ntlm-kerberos-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAuthentication%20failure%20from%20non-Windows%20NTLM%20or%20Kerberos%20servers%20-%20Windows%20Server%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity-updates%2FSecurityAdvisories%2F2009%2F973811%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Security%20Advisory%20973811%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Fauthentication%2Fwindowsauthentication%2Fextendedprotection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Extended%20Protection%20%3CEXTENDEDPROTECTION%3E%20%7C%20Microsoft%20Docs%3C%2FEXTENDEDPROTECTION%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20applied%20almost%20every%20combination%20of%20options%20I%20was%20presented%20in%20these%20and%20other%20resources%2C%20and%20none%20of%20them%20change%20the%20behavior%20on%20Microsoft%20Edge%20except%20for%20setting%20to%20%7B1%7D%26nbsp%3B%3CEM%3EHKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CControl%5CLSA%5CSuppressExtendedProtection%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewhich%20will%20proceed%20as%20a%20seamless%20SSO%20just%20like%20IE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20some%20assistance%20going%20over%20anything%20you%20can%20think%20can%20help%2C%20or%20to%20recognize%20if%20this%20is%20a%20known%20issue%20on%20Edge.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%20class%3D%22%22%3EAJ%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2053192%22%20slang%3D%22en-US%22%3ERe%3A%20Integrated%20Windows%20Authentication%20-%20Microsoft%20Edge%20keeps%20prompting%20for%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2053192%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F921200%22%20target%3D%22_blank%22%3E%40jcastillo_pro%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20Problem%20here.%20Same%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWindows%20Server%202012%20R2%3C%2FP%3E%3CP%3E1.%20Create%20Application%20Pool%20with%20Integrated%3C%2FP%3E%3CP%3E2.%20Create%20App%20with%20created%20pool%20reference%20(just%20ordinary%20index.html)%3C%2FP%3E%3CP%3E3.%20IE11%20SSO%20directly%2C%20Chrome%20always%20prompt%2C%20Edge%20always%20prompt%20(87.0.664.75%2064bit).%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Firefox%20however%20it%20worked%20with%20this%20settings%20(about%3Aconfig)%3A%26nbsp%3Bnetwork.automatic-ntlm-auth.trusted-uris%3C%2FP%3E%3CP%3EWith%20Chrome%20I%20had%20success%20doing%20the%20following%3A%3CBR%20%2F%3EChrome.exe%20%E2%80%93auth-server-whitelist%3D%22%5BSERVER_NAME%5D%22%20%E2%80%93auth-negotiate-delegatewhitelist%3D%22%5BSERVER_NAME%5D%22%20%E2%80%93auth-schemes%3D%22digest%2Cntlm%2Cnegotiate%22%3C%2FP%3E%3CP%3E(Replace%20SERVER_NAME%20by%20your%20server)%3C%2FP%3E%3CP%3E-%26gt%3B%20Will%20promt%20for%20credentials%20anyway%20but%20then%20works%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Edge%20with%20the%20same%20parameter%20no%20luck.%20Don't%20know%20what%20they%20changed.%20If%20I%20have%20any%20news%20I%20will%20let%20you%20know.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Good day,

 

I have an internal https website running IIS on Windows Server 2012 R2 with Integrated Windows Authentication enabled and Extended Protection enabled at the site level, and because we use SQL Server, that is also enabled under SQL Configuration Manager.

 

Chrome prompts for credentials only once, IE performs SSO, Microsoft Edge v87.0.664.66 keeps prompting for credentials.

 

I have exhausted all resources I could dig on google, to list a few:

Extended Protection for Authentication – Microsoft Security Response Center

SQL Server's Extended Protection -- Redmondmag.com

Description of the update that implements Extended Protection for Authentication in Internet Informa...

Configuring Additional LSA Protection | Microsoft Docs

Authentication failure from non-Windows NTLM or Kerberos servers - Windows Server | Microsoft Docs

Microsoft Security Advisory 973811 | Microsoft Docs

Windows Extended Protection <extendedProtection> | Microsoft Docs

 

I applied almost every combination of options I was presented in these and other resources, and none of them change the behavior on Microsoft Edge except for setting to {1} HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection which will proceed as a seamless SSO just like IE.

 

I'd like some assistance going over anything you can think can help, or to recognize if this is a known issue on Edge.

 

 

Thanks,

AJ

1 Reply

@jcastillo_pro 

 

Same Problem here. Same configuration.

 

Windows Server 2012 R2

1. Create Application Pool with Integrated

2. Create App with created pool reference (just ordinary index.html)

3. IE11 SSO directly, Chrome always prompt, Edge always prompt (87.0.664.75 64bit). 

In Firefox however it worked with this settings (about:config): network.automatic-ntlm-auth.trusted-uris

With Chrome I had success doing the following:
Chrome.exe –auth-server-whitelist="[SERVER_NAME]" –auth-negotiate-delegatewhitelist="[SERVER_NAME]" –auth-schemes="digest,ntlm,negotiate"

(Replace SERVER_NAME by your server)

-> Will promt for credentials anyway but then works

 

In Edge with the same parameter no luck. Don't know what they changed. If I have any news I will let you know.