[Qtwebengine] Kerberos authentication not working in QtWebEngine

Alexandru Croitor alexandru.croitor at qt.io
Wed Oct 5 15:45:38 CEST 2016 

Hi,

Qt WebEngine 5.6.1 is based on Chromium 45.
5.7.0 is based on Chromium 49
5.8 will be based on Chromium 53.

You could try the latest beta build of WebEngine 5.8.

Regards, Alex.

On 05 Oct 2016, at 15:43, Lutfi Dwedari <lutfi.dwedari at pds.nl<mailto:lutfi.dwedari at pds.nl>> wrote:

Hi.

As I mentioned in my earlier email Chromium requires to white list the servers that use Kerberos authentication. That is done with the AuthServerWhitelist registry entry in Windows.
I’ve done a global search in the qt 5.6.1 source code for the word AuthServerWhitelist and could not find any.
Chromium 51.0.2704.63 source code does have those references:

android_webview\browser\aw_browser_context.cc:const char kAuthServerWhitelist[] = "auth.server_whitelist";
android_webview\browser\aw_browser_context.cc:  pref_registry->RegisterStringPref(prefs::kAuthServerWhitelist, std::string());
android_webview\browser\aw_browser_context.h:extern const char kAuthServerWhitelist[];
android_webview\browser\aw_browser_policy_connector.cc:      policy::key::kAuthServerWhitelist, prefs::kAuthServerWhitelist,
android_webview\browser\net\aw_url_request_context_getter.cc:      prefs::kAuthServerWhitelist, user_pref_service,
chrome\browser\io_thread.cc:      prefs::kAuthServerWhitelist, local_state,
chrome\browser\io_thread.cc:  registry->RegisterStringPref(prefs::kAuthServerWhitelist, std::string());
chrome\browser\io_thread_unittest.cc:  pref_service()->SetString(prefs::kAuthServerWhitelist, "xxx");
chrome\browser\io_thread_unittest.cc:  pref_service()->SetString(prefs::kAuthServerWhitelist, "*");
chrome\browser\policy\configuration_policy_handler_list_factory.cc:  { key::kAuthServerWhitelist,
chrome\browser\policy\configuration_policy_handler_list_factory.cc:    prefs::kAuthServerWhitelist,
chrome\browser\prefs\command_line_pref_store.cc:      { switches::kAuthServerWhitelist, prefs::kAuthServerWhitelist },
chrome\common\chrome_switches.cc:const char kAuthServerWhitelist[]           = "auth-server-whitelist";
chrome\common\chrome_switches.h:extern const char kAuthServerWhitelist[];
chrome\common\pref_names.cc:const char kAuthServerWhitelist[] = "auth.server_whitelist";
chrome\common\pref_names.h:extern const char kAuthServerWhitelist[];
chrome\test\data\policy\policy_test_cases.json:  "AuthServerWhitelist": {
chrome\test\data\policy\policy_test_cases.json:    "test_policy": { "AuthServerWhitelist": "localhost" },
components\policy\resources\policy_templates.json:          'name': 'AuthServerWhitelist',
net\http\http_auth_preferences_unittest.cc:TEST(HttpAuthPreferencesTest, AuthServerWhitelist) {
tools\android\kerberos\README.md:     *   AuthServerWhitelist: `*`

Also in the current codebase: https://cs.chromium.org/search/?q=AuthServerWhitelist&sq=package:chromium

So it seems that the qtwebengine\src\3rdparty\chromium is missing files or that the code has been modified. For example in qt the file qtwebengine\src\3rdparty\chromium\chrome\common\chrome-switches.cc<http://chrome-switches.cc/> is missing these lines:
// Whitelist for Negotiate Auth servers
const char kAuthServerWhitelist[]           = "auth-server-whitelist";

Can anybody comment on this?

Thanks.
Lutfi

From: QtWebEngine [mailto:qtwebengine-bounces+lutfi.dwedari=pds.nl at qt-project.org] On Behalf Of Lutfi Dwedari
Sent: 02 October 2016 01:32
To: qtwebengine at qt-project.org<mailto:qtwebengine at qt-project.org>
Subject: [Qtwebengine] Kerberos authentication not working in QtWebEngine

Hi.

I’m really struggling to get windows integrated authentication through Kerberos to work with QtWebEngine.
I’ve build the minimal and the demobrowser examples. They are working fine for normal http and https pages but not for pages that require integrated authentication.
When loading this pages I see that the authenticationRequired signal is emited.
I’ve read that apparently Chromium requires to specify a white list of servers that are allowed Kerberos/negotiate authentication.
I’ve tried setting the HLKM\Software\Policies\Chromium\AuthServerWhitelist as suggested here<https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist>. But it has not worked.
I’ve also seen that there is a possibility to send parameters to Chromium but I’m not sure how to send from my application through the QtWebEngineProcess to Chromium. I may also still not work.

So my question. Has anyone tried integrated authentication? Is there any test for this?
Is there a way to send parameters to Chromium?
Is there any way to enable logging for QtWebEngine/QtWebEngineProcess/Chromium to get an idea why the authentication is failing?

The version of QT I’m using is 5.6.1-1.

Thanks a lot.

Lutfi
_______________________________________________
QtWebEngine mailing list
QtWebEngine at qt-project.org<mailto:QtWebEngine at qt-project.org>
http://lists.qt-project.org/mailman/listinfo/qtwebengine

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/qtwebengine/attachments/20161005/7f2aa173/attachment.html>

More information about the QtWebEngine mailing list