Need Webview2 browser policy to enable Kerberos delegation

[Kay-Burchardt]

I am the responsible developer for the Edge control in SAP Business Client. Our customers expect that they can use the same SSO mechanisms in our product as in standalone Edge or Chrome. Some applications, like SAP BI, use SPNEGO/Kerberos delegation. For security reasons, that feature is by default disabled in chromium based browsers, so an allow list has to be provided in the browser policy "AuthNegotiateDelegateAllowlist".

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#authnegotiatedelegateallowlist

Webview2 ignores Edge browser policies and currently doesn't contain that policy in it's own set of policies. Previous chromium versions offered the command line switch "–auth-negotiate-delegatewhitelist", but afaik it has been removed. So currently we have no chance to pass the allow list.

Please either add "AuthNegotiateDelegateAllowlist" to the set of Webview2 browser policies, or provide an API to set the list programmatically. Maybe it would be a good idea to also cover the full set of Edge Http authentication policies:

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#http-authentication

AB#44690405

[champnic]

Thanks for the feature request @Kay-Burchardt, I've added it to our backlog.

[lo-lo-o]

Hello, I'm greatly interested in this feature request, especially to get a way to pass AuthServerAllowlist, AuthNegotiateDelegateAllowlist and may be AuthSchemes to Webview2.
Webview2 is my best candidate for my project, but is useless if I can't get SSO working.
Do you have an idea of a possible release of this feature ?
Thanks in advance

[Auersberg]

We have the same requirement here.
Embedded browsers are mainly needed in enterprise applications. SSO, SPNEGO/Kerberos are essential for this. An application that cannot support this is simply not accepted in professional environments.

[ShaunLoganOracle]

Adding another vote for documented support for integrated authentication via WebView2 - say by adhering to policies (which seem to currently work, per #2563 ).

[ShaunLoganOracle]

Hi @champnic
It has been a while since this request was added to the backlog.
There seems to be a decent amount of interest: #1641, #2563, #2507, #2974. #3315
Can you give all the folks interested in this any update?

fyi @victorthoang

[novac42]

Hi @ShaunLoganOracle We have begun designing and coordinating dev resources. Will provide further updates as it progresses through the development pipeline.

[advos]

Hi @champnic It has been a while since this request was added to the backlog. There seems to be a decent amount of interest: #1641, #2663, #2507, #2974. #3315 Can you give all the folks interested in this any update?

fyi @victorthoang

We are still waiting for official support on this item. We really need kerberos support within webview2. The registry settings for kerberos is working but it’s not official supported.

[novac42]

@Kay-Burchardt @ShaunLoganOracle @advos We are considering adding an API to support the auth delegation and integrated authentication scenario so that developers can programmatically set allowlist. Could you please clarify the urgency of this matter so we can accurately assess its priority level?

[ShaunLoganOracle]

@novac42
For my products (Excel add-ins), the lack of documented support for policies that govern Integrated Authentication is a significant gap. As others have pointed out, this kind of support is expected in enterprise applications. Our (Oracle & Microsoft) joint customers need this.
As for the specific suggestion to allow programmatic setting of the allowlist: we'd consider that, but would much prefer a policy-based solution like MS Edge uses. For us, the urgency of this issue is less than others our customers are encountering, like #3008 and #3344

[advos]

@novac42 Our software (website) is also used in an enterprise environment in which we don't control the browser. In this case Edge WebView2. The suggested solution is not going to work for us because then we depend on external suppliers if they are willing to set policies via the new API. Fur us, the urgency of this significant high. Customers are migrating from IE (browser control) to Edge (webview2). The requested support for the policies (AuthNegotiateDelegateAllowlist and AuthServerlist) is now working via registry settings. But because it's not official supported some of our customers refuse the implementation.

[Kay-Burchardt]

@novac42
Usually our customers are cooperative when it comes to work around the current limitations, so any problems could be solved so far. Yet it causes inconvenience for our customers and additional work for our support organization, so we appreciate a proper solution, either by programmatic approach or policy-based.

[ShaunLoganOracle]

FWIW, we have another joint (Oracle + Microsoft) customer reporting this issue: MS Edge works fine with their SSO, but not WebView2 (get an unexpected Windows Security popup to enter credentials).

[novac42]

@novac42 Our software (website) is also used in an enterprise environment in which we don't control the browser. In this case Edge WebView2. The suggested solution is not going to work for us because then we depend on external suppliers if they are willing to set policies via the new API. Fur us, the urgency of this significant high. Customers are migrating from IE (browser control) to Edge (webview2). The requested support for the policies (AuthNegotiateDelegateAllowlist and AuthServerlist) is now working via registry settings. But because it's not official supported some of our customers refuse the implementation.

Hi @advos, if I'm understanding correctly, your product is a web app that need to run on a WebView2 app, and the WebView2 app is developed by an external supplier. Can your customers talk to their external suppliers to implement the new API? On principle it's the recommended way as the admin don't have to know what tech stack the native app is using. However we'd love to understand if there're any blockers in practice, for example the external suppliers have dropped support on the WebView2 app.

[advos]

@novac42 Our software (website) is also used in an enterprise environment in which we don't control the browser. In this case Edge WebView2. The suggested solution is not going to work for us because then we depend on external suppliers if they are willing to set policies via the new API. Fur us, the urgency of this significant high. Customers are migrating from IE (browser control) to Edge (webview2). The requested support for the policies (AuthNegotiateDelegateAllowlist and AuthServerlist) is now working via registry settings. But because it's not official supported some of our customers refuse the implementation.

Hi @advos, if I'm understanding correctly, your product is a web app that need to run on a WebView2 app, and the WebView2 app is developed by an external supplier. Can your customers talk to their external suppliers to implement the new API? On principle it's the recommended way as the admin don't have to know what tech stack the native app is using. However we'd love to understand if there're any blockers in practice, for example the external suppliers have dropped support on the WebView2 app.

Hi @novac42,
Yes, our application is a web app that runs in the browser. Our customers embed our web app in their enterprise application using a WebView2 browser. These applications are from different suppliers and not from 1 specific supplier. This means that we have to talk to all these suppliers (>6) to get this API implemented. We therefore also depend on their cooperation to get security in order.

[novac42]

@advos would you mind sharing which customer this is?

[advos]

@advos would you mind sharing which customer this is?

@novac42 @ShaunLoganOracle It's an issue for a lot of our customers in the Benelux, France and Dach region. So it's not issue for one customer.. Our customers are typically hospitals including large university hospitals and diagnostic centers.

[novac42]

@advos thanks very much for the info. I'm not very familiar with this field, could you please tell me the major suppliers of the client software they use?

[SRomeijn]

The biggest supplier for EHR/HIS software in the Netherlands is Chipsoft, followed by SAP, Epic and Nexus. Potentially you could see Cerner, Agfa HealthCare, McKesson or Siemens.

[ShaunLoganOracle]

@novac42
Is there any update on the progress for this issue?

[omoyolab]

Do we have any update on this issue and to be clear, Kerberos does not work with Webview2 at the moment?

[ShaunLoganOracle]

@novac42
Our (Oracle and Microsoft) joint customers keep requesting this - any progress?