Google Chrome – Kerberos, Delegation, Negotiation, Auth

2012, May 22    

One of my more recent jobs was setting up a webservice that is both separated from the web application box and in need of the windows credentials of the original caller.  After discovering a lot of the pain around SPN’s and kerberos where I found myself bound to internet explorer,  I was really keen to get it working in my browser of choice.
(I’m using Windows 7 and my web applications are on a windows domain).

There is the mention of various websites of using the parameter –auth-negotiate-delegate-whitelist when starting Chrome..
This never worked for me.

What did work is documented here http://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist
Basically, just adding a registry entry to specify your whitelist of servers.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome]
"AuthNegotiateDelegateWhitelist"="myserver,myotherserver,*.mydomain.local"

What the document doesn’t tell you is that after making the registry change, you have to reboot for the change to take effect, just by exiting chrome or killing the chrome process won’t cut it.  After making the change, close Chrome and ensure you kill any of the resident Chrome processes with task manager.