Chromium Embedded Framework Forum

[thanaa]

So, somewhere around chrome 41, the auth-server-whitelist and auth-delegate-whitelist command line options fell off and moved to the registry, or GPO. My question is, does cef support this? because I cannot seem to find a build (going back to 39) that actually works.

To be clear, NTLM/negotiate works, I can see in event viewer, a successful login audit record, BUT the second hop from IIS -> Sql server fails. Which means that the delegation pieces are not working. I've validated it in chrome, via the registry settings, (below) and it picks them up and allows the delegation, what I was trying to figure out is if possibly cef needs a different registry location since as you can see Chrome and Chromium have different locations for the setting.

Code: Select all

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Chromium]
"AuthNegotiateDelegateWhitelist"="*"
"AuthServerWhitelist"="*"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome]
"AuthNegotiateDelegateWhitelist"="*"
"AuthServerWhitelist"="*"

Any help would be greatly appreciated.

[magreenblatt]

See https://bitbucket.org/chromiumembedded/cef/issues/1150/

[thanaa]

So i dug through chrome source code and after tracking back from the policy stuff you mentioned, to chrome/browser/io_thread.cc (https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/io_thread.cc i found this block of code:

Line:473 -> Here it pulls the list from preferences.

Code: Select all

 auth_server_whitelist_ = local_state->GetString(prefs::kAuthServerWhitelist);
  auth_delegate_whitelist_ = local_state->GetString(
      prefs::kAuthNegotiateDelegateWhitelist);

Line 1019: Here it uses those values pulled from preferences.

Code: Select all

net::HttpAuthHandlerFactory* IOThread::CreateDefaultAuthHandlerFactory(
    net::HostResolver* resolver) {
  net::HttpAuthFilterWhitelist* auth_filter_default_credentials = NULL;
  if (!auth_server_whitelist_.empty()) {
    auth_filter_default_credentials =
        new net::HttpAuthFilterWhitelist(auth_server_whitelist_);
  }
  net::HttpAuthFilterWhitelist* auth_filter_delegate = NULL;
  if (!auth_delegate_whitelist_.empty()) {
    auth_filter_delegate =
        new net::HttpAuthFilterWhitelist(auth_delegate_whitelist_);
  }
  globals_->url_security_manager.reset(
      net::URLSecurityManager::Create(auth_filter_default_credentials,
                                      auth_filter_delegate));

This very closely resembles the patch referenced in the link you provided above, and is different than what cef does (which is pass NULL for both lists).

Example here:https://bitbucket.org/chromiumembedded/cef/src/694b45717c971a0bb639f555b640d313fc15ccc8/libcef/browser/url_request_context_getter_impl.cc?at=master&fileviewer=file-view-default
Line 175:

Code: Select all

// Add support for single sign-on.
    url_security_manager_.reset(net::URLSecurityManager::Create(NULL, NULL));


From everything I see when looking at chrome code, vs cef code, it doesn't matter -where- those values come from (prefs vs commandLineArgs) because cef doesn't use them regardless.

I'm currently trying to build cef using the directions from the automated build example, once i get it figured out i was going to modify the cef code to look more like the io_thread.cc code and see if it will pick it up because currently, using preferences (via GPO, and via registry) or command line arguments does not work with cef. I'm not by trade a c++ developer(mostly c# and web-dev) though so its taking me a bit to pick through this and make sense of it all.

[dkwilson]

thanaa,
I am dealing with a very similar situation where I need to define the Auth policies in chromium embedded framework. Did you learn the correct way to do this last year?