Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 24, 2015 9:58 PM | 1 vote
(I asked this question on the 'normal' Microsoft support forums and was directed here...http://answers.microsoft.com/en-us/windows/forum/windows_10-security/disabling-iwanegotiate-security-popup-for-windows/b4dac05f-e7f0-4640-ae74-7b3204044005)
I cannot connect my Google account to Windows 10. The reason I believe is that my company uses SAML-based authentication with a forms-based authentication page, and Windows 10 and/or Edge are handling the WWW-Authenticate: Negotiate HTTP header and wanting to present a Basic authentication popup instead. I believe this is what is breaking the Mail app from working with Google (my personal email connects fine) and also breaking Chrome's browser sync feature because that too doesn't know how to handle this popup. When using Edge I get this popup and if I click Cancel I'm sent to my company's signon page and from there everything works fine.
Can I disable this basic authentication popup in some way? Can I configure Windows 10 and/or Edge to handle this Negotiate scheme differently?
All replies (8)
Thursday, December 3, 2015 7:31 AM âś…Answered | 1 vote
Hi Brian,
I have received the message regarding to the issue. However, as we known, the Windows Security Credential cannot be disabled. You could use "Remember my credential" to save the password so that the popup will not display next time.
Since the you could sync the settings via proxy, you could also set the proxy server for Mail App. Just click the Start button > "Settings" > "Network & Internet" > "Proxy". Then turn on "Use a proxy server" and type the settings for it.
Hope that will be helpful to you.
Best Regards
Simon
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, November 26, 2015 9:29 AM | 1 vote
Hi,
Since you cancel this popup and everything works fine, I would like to suggest you block the popup to test the issue.
Based on my research, the popup settings in Edge is related to Internet Explorer. I would like to know what account you used to log on, Microsoft account or other account. What Google apps you want to get?
I would like to suggest you use Internet Explorer to access this website to see if the popup still appears.
Besides, please open Internet Explorer, click "Tools" > "Internet Options" > "Privacy" tab > check "Turn on Pop-up blocker". After that, please check whether the popup appears again.
Hope that could be helpful to you.
Best Regards
Simon
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Saturday, November 28, 2015 4:39 AM | 1 vote
It's not a popup like a HTML-based popup, it's a Windows-specific dialog box that is prompting for credentials. See below images. Basically the process responsible for making the initial request to Google is receiving the WWW-Authenticate: Negotiate header, presuming it can present the below dialog boxes, and not be aware that it's not in a position to handle user input. I don't know what's going on under the hood, but basically I want the Windows Mail process to ignore any type of dialog box. That I have not been able to figure out.
The alternative is that my company's Negotiate header can handle a Kerberos ticket; that is how it works if I use Firefox and MIT Kerberos. I'm tinkering around with this for IE and Edge in parallel.
Monday, November 30, 2015 1:53 AM | 1 vote
Hi,
Thank you for your reply.
I would to know the type of your current account, Microsoft account, domain account or local account as I have asked you in my last post.
For the Windows Security credential, have you tried to remember your credential so that the system will not ask the credential again next time? I consider it may be your account permission issue, and I infer you are using Microsoft account to log on so that the you will connect the Google mail automatically after you click "Cancel" in the credential. I suggest you use a local account to log on and connect the mail with clicking "Cancel". If my supposing is right, it will not automatically connect after you click "Cancel" in it.
The credential help Internet Explorer and Edge to enhance the security of your system. Also, you could add your current account into administrators account group and then check if the credential appears.
Wish you have a nice day.
Best Regards
Simon
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, December 2, 2015 2:41 PM | 1 vote
I'm using a local account on my Windows 10 machine. I don't have a Windows account currently enabled as I don't want to enforce a PIN or any password on my desktop machine (there seems to be no way around this with a Windows account otherwise I'd use it).
I don't want to use any Windows Security credentials, that's the question. The browsers and Windows are both presenting these popup challenges as a result of 401 Not Authorized errors and seeing WWW-Authenticate: Negotiate in the header. There are others asking these questions [1] and hopefully they can better describe what I'm looking for. But based on what I have seen in these other posts it does not look like it's possible.
I did find something akin to a workaround - I had to run a local HTTP Proxy on my machine and use rewrite rules to remove the WWW-Authentication:Negotiate header from the HTTP stream and that did the trick. This trick worked to allow me to sync my Google Chrome settings but Windows 10 Mail does not seem to work through a proxy. That's another question for another day.
[1] http://stackoverflow.com/questions/86105/how-can-i-supress-the-browsers-authentication-dialog
Wednesday, January 20, 2016 2:59 PM | 1 vote
I can't use "remember my credential" because as part of my SAML-based authentication provider it uses a 2FA token so the password changes every time. As for using a proxy, I have tried this too and I did get Google Chrome to behave properly when using that browser's sync settings, but Windows Mail does not seem to follow the proxy settings. Can you confirm whether Windows 10 Mail app would follow Windows 10's proxy settings?
Thursday, March 10, 2016 10:34 AM | 1 vote
Hi Brian, can you share your proxy set up so I can try to do this too. Looking to get Mail app working through SAML.
Thursday, April 14, 2016 1:29 PM | 1 vote
Tom it's not my proxy setup but my company's. In a web browser Google asks for my username, then determines the appropriate authentication mechanism to present based on the domain name. For my company we use a SAML-based authentication prompt using my company login name and password+2FA pin. Between this step, this forms page presents a WWW-Authenticate:Negotiate because on our domain we will authenticate automatically at this point via Kerberos. Without Kerberos (e.g. my home computer) Negoitate is interpreted as a Basic authentication prompt. This prompt breaks Windows Mail. I was able to work around this with a reverse proxy and rewrote the header, and got it work for other use cases, but not for Windows Mail (doesn't seem to respect the proxy settings in Windows 10). I want to disable this Basic authentication popup globally in the OS so that WWW-Authenticate: Negotiate falls back to a forms-based authentication page.