IIS, SQLServer, Google Chrome and Windows Authentication

Question

I'm searching the internet for almost 4 days now and I'm stuck.

I've created a simple ASP MVC4 Intranet website and I have deployed it to server called: iis. That computer is inside the same domain as I have my computer.

Inside my domain I have 3 computers: my_pc, iis server and sql server.

When I enter address http://iis on my pc I see that I'm logged in correctly:

This works in IE and Chrome. <- till now everything is ok!

Problem begins when I try to do sql query inside my webpage - WebAPI Controller.

On IE I get correct result, but on Chrome I get error:

Inside Web.config I have required config:

<authentication mode="Windows" />
<identity impersonate="true" />

Inside IIS I have disabled anonymous authentication and enabled windows authentication.

My IIS is trusted to do delegate requests to my SQL server.

The weirdest part is that when I try to open my webpage (with sql query) I get error, then when I open the same webpage in IE (which is successful) and I refresh Chrome website loads correctly and works for some time (randomly, sometimes 5 minutes, sometimes 30 seconds).

I've tried adding [Authorize] attribute to specific methods, but this didn't help.

It looks like Chrome isn't passing kerberos token to IIS.

I've tried steps described here: http://dev.chromium.org/developers/design-documents/http-authentication but without any luck.

Could someone please instruct my step-by-step how should I configure Google Chrome and rest (IIS, SQL if needed) to use Windows Authentication in Chrome?

Answer 1

Your problem is that you are using chromium documentation to solve a chrome problem. While similar, they are two different browsers. You need to enable delegation by white-listing the servers that IIS can delegate to. The way that you do it in Chrome is similar to chromium but in the case of the registry keys you need to use [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] for chrome instead of [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium] for chromium.

When you read the doc, you will find that you can user Group Policy, Chrome for Business or the command line to enable delegation, but in your setting, I assume that you used the registry option. I find that the essential key to set is AuthNegotiateDelegateWhitelist. Set the Value to "*" to start. Once you have it working, lock it down to just the servers you want by changing the * to a comma separated list of servers, either by IP address or DNS name. Wild cards are allowed. You may want to look at the AuthServerWhiteList key as well.