Use KDC policy to delegate credentials.

Setting the policy to Enabled means HTTP authentication respects approval by KDC policy. In other words, Google Chrome delegates user credentials to the service being accessed if the KDC sets OK-AS-DELEGATE on the service ticket. See RFC 5896 ( https://tools.ietf.org/html/rfc5896.html ). The service should also be allowed by AuthNegotiateDelegateAllowlist.

Setting the policy to Disabled or leaving it unset means KDC policy is ignored on supported platforms and only AuthNegotiateDelegateAllowlist is respected.

On Microsoft® Windows®, KDC policy is always respected.

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Google\ChromeOS
Value NameAuthNegotiateDelegateByKdcPolicy
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

chromeos.admx

Administrative Templates (Computers)

Administrative Templates (Users)