Google Chrome not working with Windows authentication
Article ID: 115852
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
How should we configure Google Chrome in order to process Windows Authentication requests from CA Single Sign-On?
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
In order to configure it properly, follow the steps below:
Configuring Chrome and Firefox for Windows Integrated Authentication
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
Configure the following registry settings with the corresponding values:
AuthSchemes
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthSchemes
Mac/Linux preference name: AuthSchemes
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.
Value: “basic,digest,ntlm,negotiate”
AuthServerWhitelist
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthServerWhitelist
Mac/Linux preference name: AuthServerWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.
Value: “MYIISSERVER.DOMAIN.COM”
AuthNegotiateDelegateWhitelist
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist
Mac/Linux preference name: AuthNegotiateDelegateWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet.
Example Value: ”MYIISSERVER.DOMAIN.COM”
From a DOS CLI, you can test the Google Chrome configuration before changing the registry, launching the browser like this:
start /B chrome -auth-server-whitelist="myserver1.mydomain.com, myserver2.mydomain.com" -auth-negotiate-delegatewhitelist="myserver1.mydomain.com, myserver2.mydomain.com" -auth-schemes="digest,ntlm,negotiate" "http://myserver1.mydomain.com/"
Configuring Chrome and Firefox for Windows Integrated Authentication
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
Modify the registry to configure Google Chrome
Configure the following registry settings with the corresponding values:
Registry
AuthSchemes
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthSchemes
Mac/Linux preference name: AuthSchemes
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.
Value: “basic,digest,ntlm,negotiate”
AuthServerWhitelist
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthServerWhitelist
Mac/Linux preference name: AuthServerWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.
Value: “MYIISSERVER.DOMAIN.COM”
AuthNegotiateDelegateWhitelist
Data type: String (REG_SZ)
Windows registry location: Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist
Mac/Linux preference name: AuthNegotiateDelegateWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet.
Example Value: ”MYIISSERVER.DOMAIN.COM”
From a DOS CLI, you can test the Google Chrome configuration before changing the registry, launching the browser like this:
start /B chrome -auth-server-whitelist="myserver1.mydomain.com, myserver2.mydomain.com" -auth-negotiate-delegatewhitelist="myserver1.mydomain.com, myserver2.mydomain.com" -auth-schemes="digest,ntlm,negotiate" "http://myserver1.mydomain.com/"
Feedback
Yes
No
Powered by
