@tegelaar, those settings need to be set at a user-level.. so if run as a policy at login this may work:
#!/bin/sh
sudo defaults write /Users/$3/Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist '*.domain.intra'
sudo defaults write /Users/$3/Library/Preferences/com.google.Chrome.plist AuthServerWhitelist '*.domain.intra'
But we successfully deploy this via Managed Preferences.
Is this still working for you? We did the same thing through managed preferences and with the latest chrome it no longer works.
Even if I set the policy manually and verify it is correct via chrome://policy/ it does not work. Firefox and Safari both work. I checked klist and I have a valid kerberos ticket too. Was hoping there was an additional setting I am missing. I am on Version 35.0.1916.114.
not that I can help but how do you get it to work with Safari???
Version 35 is when it stopped working for me. I just reverted to the latest version of 34 and it works normally
@ooshnoo You don't need to configure Safari to do Kerberos. The server needs to be configured to do Kerberos (or Negotiate in IIS) authentication, the system needs to be bound, and the user needs to have a TGT (which he would get at login - check via klist).
Thanks JP... Doesn't work for us here on Safari. Maybe IIS or AD isn't configured correctly.
So after looking into it a little bit more, I noticed that most the managed preferences I have for Chrome work, but the "cloud print" ones that I have that are used to disable it are not working. Anyone else seeing this?
Bump:
@bentoms I'm not sure what method to use Managed Preferences or Default Writes (haven't used Managed Prefs much) - Are the Chrome settings configured as Global Preference?
Also wondering if using the defaults write command, do the settings tend to 'stick' if upgrading Chrome at a later point etc.
@dajackson Nowadays, I do this via a custom setting Config Profile.

You could write a plist out with the defaults commands above, & then upload to the JSS to create the profile.
They will then stick.
This is great, thanks guys! Quick question... if you want to add more than one site, how would you do that?
<key>AuthNegotiateDelegateWhitelist</key>
<string>*.site.com *.site2.com</string>
<key>AuthServerWhitelist</key>
<string>*.site.com *.site2.com</string>
That doesn't seem to work.
Haven't been able to find a solution to adding multiple domains. comma separated, space, etc...
@tegelaar Hey there, I am doing this for my Org. Did you ever find success with this? FF works fine..... Chrome does not
@tegelaar We're using the following for Chrome
# Variables
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
loggedInUserHome=`dscl . -read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}'`
tld="*.company.com"
# Google Chrome
/bin/echo "*** Enable single sign-on in Google Chrome for $loggedInUser ***"
/bin/echo "Quit all Chrome-related processes"
/usr/bin/pkill -l -U ${loggedInUser} Chrome
if [ -f "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" ]; then
# backup current file
/bin/cp "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
/bin/echo "Preference archived as: /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
/usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist $tld
/bin/echo "AuthNegotiateDelegateWhitelist set to $tld for $loggedInUser"
/usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthServerWhitelist $tld
/bin/echo "AuthServerWhitelist set to $tld for $loggedInUser"
/usr/sbin/chown $loggedInUser /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist
# Respawn cfprefsd to load new preferences
/usr/bin/killall cfprefsd
else
/bin/echo "Google preference not found for $loggedInUser"
fi
Anyone get this working? @dan.snelson - I ran the script, checked the pref file and the Okta tld is set for AuthNegotiateDelegateWhitelist and AuthServerWhitelist, but I'm still getting a request for credentials when I hit our test page.
@smamdani What output do you get when you enter klist
in Terminal?
So I did finally get it working. The disconnect in my head was that you have to whitelist the internal server where you have the Okta agent running, while I was trying to whitelist *.okta.com.
@smamdani Good deal. Take care.
Hi there, works fine with one domain only, but did anybody get it to run with more than one domain?
@andreassauer I have done some testing with the script posted above. It seems that if you just seperate the domains with commas it works.
I and stealing and reposting the script from above with the addition to reflect this. I cannot personally fully test this. However i have tested this to some degree by changing company1 and company3 around. If you dont mind sir let me know if you test this and it works.
# Variables
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
loggedInUserHome=`dscl . -read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}'`
tld="*.company1.com,*.company2.com,*company3.com"
# Google Chrome
/bin/echo "*** Enable single sign-on in Google Chrome for $loggedInUser ***"
/bin/echo "Quit all Chrome-related processes"
/usr/bin/pkill -l -U ${loggedInUser} Chrome
if [ -f "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" ]; then
# backup current file
/bin/cp "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
/bin/echo "Preference archived as: /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
/usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist $tld
/bin/echo "AuthNegotiateDelegateWhitelist set to $tld for $loggedInUser"
/usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AuthServerWhitelist $tld
/bin/echo "AuthServerWhitelist set to $tld for $loggedInUser"
/usr/sbin/chown $loggedInUser /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist
# Respawn cfprefsd to load new preferences
/usr/bin/killall cfprefsd
else
/bin/echo "Google preference not found for $loggedInUser"
fi
Was wondering if anybody might be able to post their plist that is working? Not having luck. Running High Sierra and Latest version of Chrome. With JAMF Pro 10.
This is what my plist is looking like. The *.company.com is being replaced with my companies domain.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AuthNegotiateDelegateWhitelist</key>
<string>.company.com</string>
<key>AuthServerWhitelist</key>
<string>.company.com</string>
<key>KeychainReauthorizeInAppSpring2017</key>
<integer>1</integer>
<key>KeychainReauthorizeInAppSpring2017Success</key>
<true/>
<key>LastRunAppBundlePath</key>
<string>/Applications/Google Chrome.app</string>
</dict>
</plist>
i have tried all steps it doesn't work.
i have tried all steps it doesn't work.
Has anyone got IWA to work on chrome using high sierra?
@Mbooth IWA and Chrome works for us in High Sierra (10.13.6), but doesn't work on Mojave (10.14.2)
Firefox and Safari seems to work okay.