6

We need to access the intranet site called as "http://mysite/myapp".

And with using IE, every domain users can access the site without any prompt.

But, if the user try it with Chrome, the logon prompt shows at first. After entering credential just once, the prompt doesn't appear anymore for the access.

I'm just wondering any way to avoid the first-time logon prompt on Chrome.

And we don't want any chrome browser setting or shortcut for white listing per user. Because we can't handle many users Chrome one by one.

Any help will be appreciated.

Thanks.

Sangsu PARK
  • 306
  • 1
  • 4
  • 13

2 Answers2

5

Check the details of the Integration Authentication in this Chromium documentation:

http://www.chromium.org/developers/design-documents/http-authentication

With Integrated Authentication, Chrome can authenticate the user to an Intranet server or proxy without prompting the user for a username or password. It does this by using cached credentials which are established when the user initially logs in to the machine that the Chrome browser is running on. Integrated Authentication is supported for Negotiate and NTLM challenges only.

Basically, execute Chrome with these switches to specify the auth schemes:

Chrome.exe --auth-server-whitelist="MYIISSERVER.DOMAIN.COM" --auth-negotiate-delegatewhitelist="MYIISSERVER.DOMAIN.COM" --auth-schemes="digest,ntlm,negotiate"
securecodeninja
  • 2,497
  • 3
  • 16
  • 22
  • 1
    Thanks. but we can not force our many Chrome users to use switches. – Sangsu PARK Mar 14 '15 at 06:11
  • If you have Active Directory then you can using GPO. Here is a policy template: http://www.chromium.org/administrators/policy-templates – securecodeninja Mar 14 '15 at 06:30
  • Roman, is that the default behavior of Chrome, that displays credential prompt just for first accessing user? – Sangsu PARK Mar 15 '15 at 22:29
  • Documentation states that "if a challenge comes from a server outside of the permitted list, the user will need to enter the username and password". If there is a prompt then the challenge is coming from a server that is not whitelisted. So the answer to your question is, no. – securecodeninja Mar 16 '15 at 00:16
  • 2
    [Solved] This is because of IIS settings. I removed the "Negotiate" provider, and leave "NTLM" only. And it worked. check details here .. http://www.leftycoder.com/windows-authentication-chrome-iis/ – Sangsu PARK Mar 17 '15 at 22:20
3

I tried running the command line but it wasn't working. I had to configure the same settings via the Windows Registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthSchemes"="basic,digest,ntlm,negotiate"
"AuthServerWhitelist"="*domain"
"AuthNegotiateDelegateWhitelist"="domain,server.domain.com"

Then I Killed Chrome (cmd line: TaskKill /im chrome.exe) and restarted chrome and tried again and voila. Everything worked as expected.

Andrew Lewis
  • 5,176
  • 1
  • 26
  • 31
YoCollabStackoverFlow
  • 77
  • 1
  • 9