Google Chrome and NTLM Auto Login Using Windows Authentication

Please let me disclaim that there are other posts out there with the same information as I’m about to present, but I’ve had to find this multiple times now and it’s always been a struggle to find. If of no use to anyone else, this is for my own selfish ease of access.

Scenario

  • You operate a web server or other services (such as Exchange Client Access Role, Sharepoint [yuk!], etc.)
  • To access the website or service (herein referred to as a service) the user needs to be authenticated with their Windows [Active Directory Domain] credentials
  • The web server has the required “features” installed, the authentication Windows Authentication method has been enabled and Anonymous Authentication method disabled via Internet Information Systems (IIS) on either the server, site, folder or file level
  • The expectation is the user browses to https://system.sysadminspot.com/ which accepts this method of authentication
  • The user is prompted to enter their Windows authentication credentials – that is, they are NOT detected and automatically logged in, but they must type their credentials into the prompt.

The last line in bold is what I will be addressing in this post.

Firstly, regardless of the browser you are using (Internet Explorer, Google Chrome or Firefox) there are default security settings in place to prohibit the automatic “single sign-on” or NTML authentication via the browser. Most browsers insist you enable this at the browser level and/or define a trusted list of hostnames where this is permitted.

Internet Explorer (IE)

IE gets it’s settings from the operating system “Internet Settings”. Typically accessed via the Tools > Internet Options from within the browser or Control Panel > Internet Options.

Internet options securityWebsites are broken down into zones – internet, local intranet, trusted sites and restricted sites. By default, the local intranet zone has the User Authentication > Logon > Automatic logon only in Intranet zone (accessible via custom settings).

This means that unless IE detects you’re browsing a website within your own network with a local IP address – automatic login will not work and the user will be prompted to type in their credentials.

Generally speaking, this is a good settings. But in some cases, organisations have complex setups which will not fall into this category. What needs to be realised however is this is the default behaviour.

Don’t worry, it is changeable – however I caution you that you do it properly – such as via a group policy change, etc to avoid user confusion (i.e. works on one computer but not another).

Suggested Workaround

Internet options user authenticationMy recommendation is to add services that are outside of the local intranet to the trusted sites zone sites list. Then hit custom level, scroll right to the bottom and change User Authentication > Logon > Automatic logon with current user name and password.

Setup internet options trusted sites list

A Point of Order

A gentle reminder that if the user attempts to access a new service that is NOT listed in local intranet or trusted sites – then they are obviously going to be prompted to enter their credentials! This includes going to https://system/ instead of https://system.sysadminspot.com/ – they are different hostnames. If you need both to work – add both!

You must keep the list of permitted sites up to date or make this setting on the internet zone (not recommended).

Google Chrome

You’ll note this blog post is actually about Google Chrome and not Internet Explorer. So why have I gone into so much detail about IE?

Google Chrome actually utilises the same settings that IE uses – that is the Control Panel > Internet Options settings as discussed in the Internet Explorer section above.

Thank you KaPes (last post on the page) for your helpful forum post on the Google product forums.

Mozilla Firefox

I really can’t do a better job on describing how to do this in Firefox than some of the other brilliant posts out there. I’ve linked to a few I found accurate and likely to be useful to you.

Similar Posts:

VN:F [1.9.22_1171]
Rating: 3.6/5 (14 votes cast)
VN:F [1.9.22_1171]
Rating: +7 (from 11 votes)
Google Chrome and NTLM Auto Login Using Windows Authentication, 3.6 out of 5 based on 14 ratings
Tags: , , , , , , .

12 Responses to Google Chrome and NTLM Auto Login Using Windows Authentication

  1. Brendan says:

    Hi Jeff, I understood this to be a Windows feature which chrome (first released on Windows) has tapped into. I don’t think you’ll be able to get this to work on mobile. But if you figure it out let me know!

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  2. Jeff says:

    I mean how to do this in mobile chrome? The popup keeps showing even after entering correct username and password.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  3. Jeff says:

    Hi, how about repeated login when using chrome browser in mobile?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  4. Rob says:

    I had to make changes to the registry to make this work. Also, I added a site to the local intranet instead of trusted sites, but I think it works either way. I downloaded the admx templates from Chromium.org and created a GPO to apply the changes. I had to change these policy names in Chrome:
    AuthNegotiateDelegateWhitelist, AuthSchemes and AuthServerWhitelist. You can check if these are set in Chrome by browsing to chrome:\\policy. Another issue I ran into is that if ‘negotiate’ is included in the AuthSchemes Policy, Chrome will still prompt for a username/password, but if I remove it and only list ntml,basic,digest, then it lets me in without typing in a username/password.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  5. Brendan says:

    I always like a challenge, but you’d have to elaborate on what you mean sorry. 😉

    I need to understand what you mean by browser going offline, which browser, which website/Web server type, the exact problem/scenario and what your goal is. I have an idea kind of what you’re talking about, but unless I understand you exactly I could be typing a lot. 🙂

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  6. neo says:

    Hi Brendan, not sure if you still are looking this post up, old sort of, but anyways…I was hoping to see if you knew a bit more about winodws auth when you have a browser that goes offline, how would one reauthenticate when they have the credentials aksed by the browser but you want single sign on to still act like it should… from what i know there is no way to force a reauthentication client side… some say they store a serilized sessionstate client side but i hear that is a bad thing to do, any thoughts, thansk in advance

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  7. Vinnie says:

    Thank you for documenting this.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  8. Adam says:

    Thank you so much for this information!
    I looked everywhere about this problem that mainly mentioned changing Windows Authentication settings in IIS 8, but nothing worked and this does.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  9. Jared says:

    I had trouble implementing this solution as I was unable to modify the Local Intranet or Trusted Sites settings in the Internet Options (locked down by Administrator).. but I did stumble upon a way to add sites to Chrome’s Integrated Authentication whitelist via the Registry. Add the key below (REG_SZ) and provide a comma separated list of sites as the value (“*google.com,foobar.com”).

    HKCU\Software\Policies\Chromium\AuthServerWhitelist

    For more info see the Chromium documentation.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  10. Ilya Oussov says:

    Thanks, it was refreshing to finally get chrome autologging)

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  11. Brendan says:

    “In anyway” – technically yes – but there are many considerations.

    Do you need to do this via a standard browser? (e.g. Chrome or IE) If so that is going to be a bit tricky. For security reasons it is not a good idea to send authentication information before it is requested by the server. I also assume if security is in place then there’s something worth securing?

    Using something like wget or curl via the command line, you can bypass the to-fro you mentioned. If you are working on a scripted file download for example. If not, and you’re just using the browser, the answer is probably more likely towards the no.

    That said however, I could be wrong. I do not have any insight to share on all of the authentication methods (such as NTLM) to draw on and you’ve not elaborated on which you are using.

    I am happy to hear from anyone who has knowledge to share on the matter. 🙂

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: +2 (from 2 votes)
  12. Darshan says:

    I understand that the client needs to provide windows username and password for auto log-in whenever it receives a challenge from the server. But is it possible in anyway to send the www authorization header with the required information in the very first request. This can avoid the to-fro challenge & response communication required to authenticate and can save valuable time on high latency networks.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: -1 (from 1 vote)

What are your thoughts?