I have an IIS 7 server with 2 sites - site1, site2.
site1 binds port 80, site2 binds port 81.
I have a web page in site2 which sends an http get request via $.ajax()
to a URL in site1.
I've configured both site to use kerberos:
Enabled only windows authentication, selected only negotiate:kerberos in providers.
Configured SPN for the user/server in AD.
I use fiddler to monitor the request headers.
When I use IE8, I see that kerberos ticket is delegated from site2 to site1 via 2-hop, the way kerberos should work.
When I use chrome, I see that keberos ticket is not delegated. I get an 401 error.
I tried setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthNegotiateDelegateWhitelist"="*"
...(and specifically the server name), but it has not worked.
Any ideas?
I had to add the same registry value to this key to make everything work:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium
Also interesting to note that I'm using *.domain.local instead of just *.