Need Webview2 browser policy to enable Kerberos delegation

[Kay-Burchardt]

I am the responsible developer for the Edge control in SAP Business Client. Our customers expect that they can use the same SSO mechanisms in our product as in standalone Edge or Chrome. Some applications, like SAP BI, use SPNEGO/Kerberos delegation. For security reasons, that feature is by default disabled in chromium based browsers, so an allow list has to be provided in the browser policy "AuthNegotiateDelegateAllowlist".

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#authnegotiatedelegateallowlist

Webview2 ignores Edge browser policies and currently doesn't contain that policy in it's own set of policies. Previous chromium versions offered the command line switch "–auth-negotiate-delegatewhitelist", but afaik it has been removed. So currently we have no chance to pass the allow list.

Please either add "AuthNegotiateDelegateAllowlist" to the set of Webview2 browser policies, or provide an API to set the list programmatically. Maybe it would be a good idea to also cover the full set of Edge Http authentication policies:

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#http-authentication

AB#44690405

[champnic]

Thanks for the feature request @Kay-Burchardt, I've added it to our backlog.

[lo-lo-o]

Hello, I'm greatly interested in this feature request, especially to get a way to pass AuthServerAllowlist, AuthNegotiateDelegateAllowlist and may be AuthSchemes to Webview2.
Webview2 is my best candidate for my project, but is useless if I can't get SSO working.
Do you have an idea of a possible release of this feature ?
Thanks in advance

[Auersberg]

We have the same requirement here.
Embedded browsers are mainly needed in enterprise applications. SSO, SPNEGO/Kerberos are essential for this. An application that cannot support this is simply not accepted in professional environments.

[ShaunLoganOracle]

Adding another vote for documented support for integrated authentication via WebView2 - say by adhering to policies (which seem to currently work, per #2563 ).

[ShaunLoganOracle]

Hi @champnic
It has been a while since this request was added to the backlog.
There seems to be a decent amount of interest: #1641, #2563, #2507, #2974. #3315
Can you give all the folks interested in this any update?

fyi @victorthoang

[novac42]

Hi @ShaunLoganOracle We have begun designing and coordinating dev resources. Will provide further updates as it progresses through the development pipeline.

[advos]

Hi @champnic It has been a while since this request was added to the backlog. There seems to be a decent amount of interest: #1641, #2663, #2507, #2974. #3315 Can you give all the folks interested in this any update?

fyi @victorthoang

We are still waiting for official support on this item. We really need kerberos support within webview2. The registry settings for kerberos is working but it’s not official supported.

[novac42]

@Kay-Burchardt @ShaunLoganOracle @advos We are considering adding an API to support the auth delegation and integrated authentication scenario so that developers can programmatically set allowlist. Could you please clarify the urgency of this matter so we can accurately assess its priority level?

[ShaunLoganOracle]

@novac42
For my products (Excel add-ins), the lack of documented support for policies that govern Integrated Authentication is a significant gap. As others have pointed out, this kind of support is expected in enterprise applications. Our (Oracle & Microsoft) joint customers need this.
As for the specific suggestion to allow programmatic setting of the allowlist: we'd consider that, but would much prefer a policy-based solution like MS Edge uses. For us, the urgency of this issue is less than others our customers are encountering, like #3008 and #3344