New issue
Advanced search Search tips

Issue 882484 link

Starred by 2 users
Status: Duplicate
Merged: issue 872665
Owner: ----
Closed: Sep 11
Cc:
asanka@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Pass-through Authentication/SSO does not work in split DNS environment in Remote Desktop Session environment

Reported by tylor.we...@tra401k.com, Sep 10 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. When using an internal web server joined to a .local domain and secured using an external certificate example.com. 
2. Open web page from a Remote Desktop Session Host using https://example.com and will be prompted for credentials

What is the expected behavior?
When opening web page https://example.com authentication will occur automatically. 

What went wrong?
Automatic authentication does not occur when using Chrome in a Remote Desktop Session Host/Terminal Server environment to access an internal web server secured with an external certificate.

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? Yes 68

Does this work in other browsers? Yes

Chrome version: 69.0.3497.81  Channel: stable
OS Version: 10.0
Flash Version: 

Works as expected on workstations and servers. Works as expected in standard Remote Desktop connections. Issue appears to only occur in Remote Desktop Services. Before Chrome 69 update we were able to make it work by setting Chrome GPO "Authentication server whitelist" and "Kerberos delegation server whitelist" to include the both the external (example.com) site and the internal (.local) server name. Works as expected in Internet Explorer.

Comment 1 by bokan@chromium.org, Sep 10

Components: -Blink Security

Comment 2 by krajshree@chromium.org, Sep 11

Labels: Needs-Bisect Needs-Triage-M69

Comment 3 by krajshree@chromium.org, Sep 11

Cc: asanka@chromium.org
Components: Internals>Network>Auth Enterprise
Labels: Triaged-ET
The issue looks similar to issue id: 872665. Ccing asanka@ from issue id: 872665 for further inputs on the issue.

Thanks...!!

Comment 4 by asanka@chromium.org, Sep 11

Labels: Needs-Feedback
We need a bit more information about the target server.

*) Is both the client and the server part of an Active Directory domain?
*) Does example.com have a CNAME entry mapping it to a hostname known to the AD domain?
*) Does example.com have a service principal? I.e. is HTTP/example.com@YOURREALM known to AD?

Comment 5 by tylor.we...@tra401k.com, Sep 11 

I believe this to be the same issue. It appears to working as expect in Canary build 71.0.3549.0. 

1. Yes. Both are part of the same .local Active Directory domain.
2. Yes. server.example.com has a CNAME entry mapping it to server.domain.local
3. Yes. example.com is known to AD.
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 11

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by asanka@chromium.org, Sep 11

Mergedinto: 872665
Status: Duplicate (was: Unconfirmed)
Thanks for the confirmation. The fix for this is rolling out to the stable channel currently.

Sign in to add a comment