Jamf Nation Community

Is this still working for you? We did the same thing through managed preferences and with the latest chrome it no longer works.

Even if I set the policy manually and verify it is correct via chrome://policy/ it does not work. Firefox and Safari both work. I checked klist and I have a valid kerberos ticket too. Was hoping there was an additional setting I am missing. I am on Version 35.0.1916.114.

not that I can help but how do you get it to work with Safari???

Version 35 is when it stopped working for me. I just reverted to the latest version of 34 and it works normally

@ooshnoo You don't need to configure Safari to do Kerberos. The server needs to be configured to do Kerberos (or Negotiate in IIS) authentication, the system needs to be bound, and the user needs to have a TGT (which he would get at login - check via klist).

Thanks JP... Doesn't work for us here on Safari. Maybe IIS or AD isn't configured correctly.

So after looking into it a little bit more, I noticed that most the managed preferences I have for Chrome work, but the "cloud print" ones that I have that are used to disable it are not working. Anyone else seeing this?

Bump:

@bentoms I'm not sure what method to use Managed Preferences or Default Writes (haven't used Managed Prefs much) - Are the Chrome settings configured as Global Preference?

Also wondering if using the defaults write command, do the settings tend to 'stick' if upgrading Chrome at a later point etc.

@dajackson Nowadays, I do this via a custom setting Config Profile.

You could write a plist out with the defaults commands above, & then upload to the JSS to create the profile.

They will then stick.

This is great, thanks guys! Quick question... if you want to add more than one site, how would you do that?

 <key>AuthNegotiateDelegateWhitelist</key>
   <string>*.site.com *.site2.com</string>
 <key>AuthServerWhitelist</key>
   <string>*.site.com *.site2.com</string>

That doesn't seem to work.

Haven't been able to find a solution to adding multiple domains. comma separated, space, etc...

@tegelaar Hey there, I am doing this for my Org. Did you ever find success with this? FF works fine..... Chrome does not

@tegelaar We're using the following for Chrome

# Variables
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
loggedInUserHome=`dscl . -read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}'`
tld="*.company.com"



# Google Chrome
/bin/echo "*** Enable single sign-on in Google Chrome for $loggedInUser ***"
/bin/echo "Quit all Chrome-related processes"
/usr/bin/pkill -l -U ${loggedInUser} Chrome

if [ -f "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" ]; then

    # backup current file
    /bin/cp "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
    /bin/echo "Preference archived as: /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"

    /usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist $tld
    /bin/echo "AuthNegotiateDelegateWhitelist set to $tld for $loggedInUser"
    /usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthServerWhitelist $tld
    /bin/echo "AuthServerWhitelist set to $tld for $loggedInUser"
    /usr/sbin/chown $loggedInUser /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist

    # Respawn cfprefsd to load new preferences
    /usr/bin/killall cfprefsd

else

    /bin/echo "Google preference not found for $loggedInUser"

fi

Anyone get this working? @dan.snelson - I ran the script, checked the pref file and the Okta tld is set for AuthNegotiateDelegateWhitelist and AuthServerWhitelist, but I'm still getting a request for credentials when I hit our test page.

@smamdani What output do you get when you enter klist in Terminal?

So I did finally get it working. The disconnect in my head was that you have to whitelist the internal server where you have the Okta agent running, while I was trying to whitelist *.okta.com.

@smamdani Good deal. Take care.

Hi there, works fine with one domain only, but did anybody get it to run with more than one domain?

@andreassauer I have done some testing with the script posted above. It seems that if you just seperate the domains with commas it works.

I and stealing and reposting the script from above with the addition to reflect this. I cannot personally fully test this. However i have tested this to some degree by changing company1 and company3 around. If you dont mind sir let me know if you test this and it works.

# Variables
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
loggedInUserHome=`dscl . -read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}'`
tld="*.company1.com,*.company2.com,*company3.com"



# Google Chrome
/bin/echo "*** Enable single sign-on in Google Chrome for $loggedInUser ***"
/bin/echo "Quit all Chrome-related processes"
/usr/bin/pkill -l -U ${loggedInUser} Chrome

if [ -f "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" ]; then

    # backup current file
    /bin/cp "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
    /bin/echo "Preference archived as: /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"

    /usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist $tld
    /bin/echo "AuthNegotiateDelegateWhitelist set to $tld for $loggedInUser"
    /usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthServerWhitelist $tld
    /bin/echo "AuthServerWhitelist set to $tld for $loggedInUser"
    /usr/sbin/chown $loggedInUser /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist

    # Respawn cfprefsd to load new preferences
    /usr/bin/killall cfprefsd

else

    /bin/echo "Google preference not found for $loggedInUser"

fi

Was wondering if anybody might be able to post their plist that is working? Not having luck. Running High Sierra and Latest version of Chrome. With JAMF Pro 10.
This is what my plist is looking like. The *.company.com is being replaced with my companies domain.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>AuthNegotiateDelegateWhitelist</key> <string>.company.com</string> <key>AuthServerWhitelist</key> <string>.company.com</string> <key>KeychainReauthorizeInAppSpring2017</key> <integer>1</integer> <key>KeychainReauthorizeInAppSpring2017Success</key> <true/> <key>LastRunAppBundlePath</key> <string>/Applications/Google Chrome.app</string>
</dict>
</plist>

i have tried all steps it doesn't work.

i have tried all steps it doesn't work.

Has anyone got IWA to work on chrome using high sierra?

@Mbooth IWA and Chrome works for us in High Sierra (10.13.6), but doesn't work on Mojave (10.14.2) Firefox and Safari seems to work okay.

@bbot In a single test with macOS 10.14.2 (18C54) and Chrome 71.0.3578.98, it's working for me for a single domain.

Thanks for the info @dan-snelson . I'm going to be reimage a new Mac with Mojave and try again without any of our company software on there..

Are you using a configuration profile or a one time script to configure the settings? We've been deploying it via config profile successfully up until 10.13.6.

@bbot We're using a one-time script via Self Service.

@dan-snelson what version of the IWA web app are you running?

@bbot We don't use Okta IWA Web App for Desktop SSO.

This may be a silly question, but once the changes to the WhiteLists are made and Chrome restarted, so long as a machine has a valid Kerberos ticket then SSO should work and just pass through correct? I've been trying for some time now and continue to get the prompts within Chrome when trying to access expected resources. Machine is bound, Kerberos ticket, 10.14.2 and latest Chrome.

@andrew.nicholas I believe @bbot is running a similar setup; we no longer bind, using just Enterprise Connect, and Chrome is working for us with a single domain.

@dan-snelson Thanks dan, we still bind for a myriad of reasons but the accounts are local with EC tie ins as well.

@andrew.nicholas we're in the same boat, unable to get it to work on 10.14, 10.15, have you had success with this?

Agentless DSSO for my OKTA Tenant now works with these preferences

This should work successfully when setting the config via a managed Plist, won't work from the terminal

I needed to add “AuthNegotiateDelegateByKdcPolicy” true
See: https://chromeenterprise.google/policies/#AuthNegotiateDelegateByKdcPolicy

In case anyone else is looking at this thread in 2022, the current supported method (in my testing) is the configuration profile one, and the keys all use the term "allowlist" instead of "whitelist".  Good documentation here: https://chromeenterprise.google/policies/#HTTPAuthentication

Here's my working config profile:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>AuthNegotiateDelegateAllowlist</key>

<string>*.company.com</string>

<key>AuthServerAllowlist</key>

<string>*.company.com</string>

<key>AuthNegotiateDelegateByKdcPolicy</key>

<true/>

</dict>

</plist>

Thank you ncworster! This was exactly the fix we needed for our company. we changed the keys to "allowlist" and now sso is working properly for Google Chrome.