Ora

How do I configure Chrome to allow Windows Authentication without prompting?

Published in Chrome Windows Authentication 5 mins read

To configure Google Chrome for automatic Integrated Windows Authentication (IWA) without prompting, you need to set up both foundational Windows security settings and specific Google Chrome policies. This two-pronged approach ensures that your operating system trusts the authentication process and that Chrome knows which servers to automatically delegate credentials to.

How to Configure Google Chrome for Automatic Integrated Windows Authentication (IWA) Without Prompting

Enabling seamless Integrated Windows Authentication (IWA) in Chrome requires a combination of Windows' Internet Options settings and Chrome's own administrative policies. This process ensures that your browser can silently authenticate with internal web applications using your current Windows login credentials.

Step 1: Configure Windows Internet Options (Foundational for IWA)

The first step is to configure your Windows operating system's Internet Options to allow automatic logon within the intranet zone. This setting is crucial as Chrome, like other browsers on Windows, often relies on these underlying system preferences for handling IWA.

  1. Click the Windows Start menu and then type "Control Panel" and open it.
  2. Click "Internet Options."
  3. In the "Internet Properties" window, click the "Security" tab.
  4. Select the Local intranet zone (represented by an icon of a globe with a chain).
  5. Click the "Custom level..." button.
  6. Scroll down to the "User authentication" section.
  7. Under "Logon," select "Automatic logon only in Intranet zone."
  8. Click "OK" to close the Security Settings window.
  9. Click "OK" again to close the Internet Properties window.

This configuration tells Windows that for sites within your defined intranet zone, it's permissible to automatically send your credentials without a prompt.

Step 2: Configure Google Chrome Policies for IWA

Even with the Windows settings in place, Chrome needs explicit instructions on which servers it should attempt IWA for and to which servers it should delegate your credentials. This is typically done via Chrome's administrative policies.

Key Chrome Policies for Silent IWA

Two primary Chrome policies are essential for enabling silent IWA:

  • AuthServerWhitelist: This policy specifies a list of URLs for which Chrome should attempt Integrated Windows Authentication. Chrome uses a pattern-matching system, where * can be used as a wildcard.
  • AuthNegotiateDelegateWhitelist: This policy is crucial for automatic (silent) authentication. It specifies a list of URLs for which Chrome should delegate the user's credentials to the operating system, allowing for NTLM/Kerberos negotiation without prompting. Without this, Chrome might still attempt IWA but would prompt the user.

Implementing Chrome Policies

The method for implementing these policies depends on whether you are managing Chrome in an enterprise environment or for an individual user.

For Enterprise Environments (Group Policy or MDM)

In managed environments, Google Chrome policies are typically deployed using Group Policy on Windows or an equivalent Mobile Device Management (MDM) solution.

  1. Download Chrome Enterprise Bundle: Obtain the latest Chrome Enterprise Bundle from the official Google Chrome Enterprise website. This bundle includes the necessary .admx and .adml policy templates.
  2. Add ADMX Templates: Copy the chrome.admx and google.admx files to your Central Store (%systemroot%\PolicyDefinitions) on your domain controller. Copy the corresponding language files (e.g., en-US) to the appropriate subfolder.
  3. Open Group Policy Management Editor:
    • Navigate to Computer Configuration > Policies > Administrative Templates > Google > Google Chrome.
  4. Configure Authentication server whitelist:
    • Enable this policy.
    • In the options, enter a comma-separated list of hostnames or domains for which IWA should be attempted.
    • Example: *.yourdomain.com, intranet.yourdomain.local
  5. Configure Authentication delegation whitelist:
    • Enable this policy.
    • In the options, enter a comma-separated list of hostnames or domains for which Chrome should delegate user credentials. This list should typically match or be a subset of your AuthServerWhitelist.
    • Example: *.yourdomain.com, intranet.yourdomain.local
  6. Apply Group Policy: Close the Group Policy Management Editor and run gpupdate /force on the client machines to apply the new policies.
For Individual Users (Registry Editor)

For standalone machines not managed by Group Policy, you can configure these policies directly in the Windows Registry. Caution: Modifying the Registry incorrectly can cause serious system problems. Backup your Registry before making changes.

  1. Open Registry Editor (regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. If the Google or Chrome keys don't exist, create them.
  3. Create AuthServerWhitelist:
    • Right-click on the Chrome key, select New > String Value.
    • Name it AuthServerWhitelist.
    • Double-click the new string value and enter a comma-separated list of hostnames or domains for IWA.
    • Example: *.yourdomain.com, intranet.yourdomain.local
  4. Create AuthNegotiateDelegateWhitelist:
    • Right-click on the Chrome key, select New > String Value.
    • Name it AuthNegotiateDelegateWhitelist.
    • Double-click the new string value and enter a comma-separated list of hostnames or domains for credential delegation.
    • Example: *.yourdomain.com, intranet.yourdomain.local
  5. Close Registry Editor. For changes to take effect, you may need to restart Chrome or even your computer.

Summary of Chrome IWA Policies

Policy Name Description Example Value
Authentication server whitelist Specifies a list of URLs that Chrome should attempt Integrated Windows Authentication for. *.contoso.com, webapp.internal.corp
Authentication delegation whitelist Specifies a list of URLs that Chrome can delegate the user's Kerberos or NTLM credentials to. Crucial for automatic, silent authentication. *.contoso.com, webapp.internal.corp

Step 3: Verify the Configuration

After implementing these settings, it's important to verify that Chrome has picked up the policies correctly:

  1. Open Google Chrome.
  2. Type chrome://policy in the address bar and press Enter.
  3. Look for AuthServerWhitelist and AuthNegotiateDelegateWhitelist in the list. Ensure their status is "OK" and their values reflect what you configured. If they are not listed or show incorrect values, the policies may not have been applied successfully.
  4. Clear your browser's cache and cookies for the relevant sites to ensure no old authentication tokens interfere.
  5. Navigate to an application that uses Integrated Windows Authentication. If configured correctly, you should be logged in automatically without any prompts.

By combining the Windows "Automatic logon only in Intranet zone" setting with Chrome's AuthServerWhitelist and AuthNegotiateDelegateWhitelist policies, you can achieve seamless, unprompted Integrated Windows Authentication in Google Chrome.

← Previous Article
How to configure Integrated Windows Authentication?
Next Article →
Do Humans Want Peace?