[Question]Playwright in Kerberos environment

[manisshaa]

We have an internal site that requires kerberos authentication. How do I make Playwright work in such scenario?

[jacobmesu]

I just managed to get it working. You need to set the following Chrome policies:
AuthServerWhitelist (https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AuthServerWhitelist)
AuthNegotiateDelegateWhitelist (https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AuthNegotiateDelegateWhitelist)
​Ambient​Authentication​In​Private​Modes​Enabled (https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AmbientAuthenticationInPrivateModesEnabled)

What OS are you working on? I have some additional tips if you are working on a Mac.
https://support.google.com/chrome/a/answer/187202?hl=en

Related #1707

[manisshaa]

I'm working on Windows. Is there any way to set these policies in my playwright framework (on index.js or some other file?). I actually don't have admin rights to my system, so can't set policy values from chrome://policy.

[jacobmesu]

It is possible to set the first two policies using args like this:

   const browser = await chromium.launch({
      headless: false,
      args: [
         "--auth-negotiate-delegate-whitelist=*.domain.com",
         "--auth-server-whitelist=*.domain.com",
      ],
   });
   const context = await browser.newContext();
   const page = await context.newPage();

You need to replace domain.com with the domain you're logging on to. But not the third (Ambient​Authentication​In​Private​Modes​Enabled), as far as I know.
You can also ask your it dep to push the policies.

[manisshaa]

Thanks for the prompt reply. Seems like I'm making some progress. I added the two flags and got Ambient​Authentication​In​Private​Modes​Enabled added as well (value: 0x0000true). Now when I run my script, I get Error: net::ERR_INVALID_AUTH_CREDENTIALS at https://*.com. Any idea, how to fix it?

[manisshaa]

I'm able to fix this error by using context.setHTTPCredentials(). This also gets rid of one login prompt. But the second one is still there. This application which is generally an SSO app has two level of login prompts with playwright.

[jacobmesu]

Can you run the chromium instance and check the chrome://policy page? Im esp. interested in the Ambient​Authentication​In​Private​Modes​Enabled policy. it should be an integer (0-4) and not a boolean.

You can also try running with a persistentcontext (https://github.com/microsoft/playwright/blob/master/docs/api.md#browsertypelaunchpersistentcontextuserdatadir-options). Then you don't need this policy, however you can't run multiple contexts in parallel with a persistent context.

[aslushnikov]

Closing this since there hasn't been much activity here.

[paoloantinori]

Leaving a comment here in case anyone might still be wrestling with this.

1. Flags have changed in recent (2022 at least) versions of Chromium
2. I've managed to succeed without having to set ​Ambient​Authentication​In​Private​Modes​Enabled in policies:

    browser = p.chromium.launch(    headless=True,  args=[
         "--auth-negotiate-delegate-allowlist=*.example.com",
         "--auth-server-allowlist=*.example.com",
         "--start-maximized"
      ] );

[AndrewLChalfant]

Encountering this issue with Chrome in 2023 on a Linux Gitlab runner, any suggestions?
Using the above args in playwright.config.ts as part of the launchOptions for Chrome

[aloene]

Encountering this issue with Chrome in 2023 on a Linux Gitlab runner, any suggestions? Using the above args in playwright.config.ts as part of the launchOptions for Chrome

I am trying to make in work in a Linux container (with RobotFramework, based on latest playwright image)... no luck for now. I am even not sure about the way to set those policy settings. What is the correct way to allow this Kerberos auth. to work ?
I have set httpCredentials on context and I have tried to set --auth-negotiate-delegate-allowlist and --auth-server-allowlist as args on browser but no luck. Then I tried to create a policy file in /etc/chromium/policies/managed/ with appropriate settings but I does not change anything.

{
  "AmbientAuthenticationInPrivateModesEnabled": 3,
  "AuthServerAllowlist": "*.mysubdomain.mydomain.com,*.mydomain.com",
  "AuthNegotiateDelegateAllowlist": "*.mysubdomain.mydomain.com,*.mydomain.com"
}

Has anyone manage to implement Kerberos authentication with playwright (+ RobotFramework maybe). This is a blocker for me as I have many apps to test with Windows Integrated Autehntication (Kerberos only, no NTLM).

[paoloantinori]

@aloene these works in my case:

    with sync_playwright() as p:
        browser = p.chromium.launch(    headless=True,  args=[
            "--auth-negotiate-delegate-allowlist=*.mydomain.com",
            "--auth-server-allowlist=*.mydomain.com",
            "--start-maximized"
        ] );

[aloene]

@aloene these works in my case:

OK, thanks for your answser @paoloantinori. I do not understand what is wrong...
I did nearly the same thing (With RobotFramework "New Browser" keyword with these same args + httpCredential on "New context"... no luck for now).
Browser trace just shows the 401/Negotiate response (OK) but it is stuck then.

Do you use Windows or Linux/Linux Container ? Have you changed/set any other setting somewhere ?

[aloene]

@paoloantinori

with sync_playwright() as p:
    browser = p.chromium.launch(    headless=True,  args=[
        "--auth-negotiate-delegate-allowlist=*.mydomain.com",
        "--auth-server-allowlist=*.mydomain.com",
        "--start-maximized"
    ] );

Also, how do you choose credential to be used ? Current process identity or do you explicitly use test credential from your test code ?

[paoloantinori]

@paoloantinori

with sync_playwright() as p:
    browser = p.chromium.launch(    headless=True,  args=[
        "--auth-negotiate-delegate-allowlist=*.mydomain.com",
        "--auth-server-allowlist=*.mydomain.com",
        "--start-maximized"
    ] );

Also, how do you choose credential to be used ? Current process identity or do you explicitly use test credential from your test code ?

This question might be leading to the issue.

This configuration enables Chromium to use a valid Kerberos token already available to the user ( of the operating system)

In my case I do take care of getting one from the command line. I use kinit on Linux, and it's at this level that user is configured.
With that my desktop browsers inherits that valid token that allows me to be automatically authenticated.
Playwright managed Chromium works if I also pass those extra flags.

[aloene]

Ok. Thanks.
Today, I tried after initializing a Kerberos token with my account (kinit) but with the new headless Chromium (by specifying channel) instead of chromium shell because I realized (it seemed) the chromium shell was not loading kerberos libs. It did not work... Same network trace but I got an additional HTTP Failure in output... (?)
I will try again with chromium shell... It may work...

[aloene]

@paoloantinori

Also, how do you choose credential to be used ? Current process identity or do you explicitly use test credential from your test code ?

This question might be leading to the issue.

This configuration enables Chromium to use a valid Kerberos token already available to the user ( of the operating system)

In my case I do take care of getting one from the command line. I use kinit on Linux, and it's at this level that user is configured. With that my desktop browsers inherits that valid token that allows me to be automatically authenticated. Playwright managed Chromium works if I also pass those extra flags.

This actually works with current/"old" headless chromium (ie. shell). This does not work with chromium channel (the one I was trying to use). I also removed httpCredentials arg as the Kerberos ticket is enough.

Thanks !