Since update to version 69.0.3497.81, kerberos authentication on our application doesn't work anymore. I don't master the authentification process but it seems that chrome use NTLM instead of Kerberos for authentication.
Access url to our application use an alias. Example:
The application is deployed on a server: serverA.domain.com
I think the keytab referenced serverA.domain.com.
I noticed that if I use full server name with domain, it works! -> https://serverA.domain.com/test
We confirm that with previous chrome version, it works.
Have you guys met problems like that with last chrome update ? Any suggestion ?
It was a bug on google chrome. Since version 69.0.3497.23, chrome didn't resolve Cnames anymore. So if you use an alias in your DNS, it's not resolved and use directly for negocation kerberos.
chrome than got an error "ERR_ACCESS_DENIED".
With an incorrect SPN, the ticket acquisition will fail. Windows defaults to NTLM in those cases.
More Explanation from bug chat:
"Async host resolver currently doesn't resolve CNAMEs. Thus use of the async resolver is not currently compatible with the needs of HttpAuthHandlerNegotiate where correct CNAME lookup is required."
Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=872665
Hope this help others!