Chrome

Azure AD Sign-in via Google Chrome and Conditional Access

While testing MFA, Conditional Access and all the other good stuff Azure AD provides, I came across this scenario:

Conditional Access configured to require MFA if the user wasn’t on an Azure AD Hybrid PC, or coming from an internal IP.

User on an Azure AD Hybrid PC, but on an external IP.

User uses Chrome to access a Microsoft resource, and gets challenged despite being on the Azure AD Hybrid PC.

It seems that the sign-in process isn’t aware of the state of the computer when using Chrome- but there is an easy fix: deploy Windows 10 Accounts extensions for Chrome.

This is really easy to do via Group Policy.

  1. If you don’t already have them, get the ADMX Group Policy files for Google Chrome and deploy into your environment
  2. Under User Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions, configure the policy ‘Configure the list of force-installed apps and extensions’:

3. Change the radio button to enabled, click ‘Show’ and enter the value for the add-in

ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

4. Do your normal process of configuring the Group Policy object to target the users you want, run a gpupdate and see the addin silently turn up in Chrome. The only user impact will be a visible Windows logo to the left of the Google Accounts area in the top bar of Chrome.

Peter van de Woude has documented how to do this via registry, so read his post if you want info on how to do that –  as well as how to then deploy via Intune and PowerShell script.

Worth doing if you use Azure AD connect, and highly recommended if you’re using Conditional Access. 

How To Launch A URL In Google Chrome

Scenario:
We want to open a particular URL in Google Chrome, but the default browser is Internet Explorer. Most company apps either support or require Internet Explorer, so we don’t want to change the default browser – but one app works better in Chrome.

We could create a desktop shortcut using chrome.exe -url http://webpage.com, but the site is also linked from our Intranet – how do we get the link to always launch in the preferred browser?

 

Update 21st Dec 2016

Updates to Chrome seem to have broken this. Thanks to Chris Done for working with me on this fix:

1.Add the String Value of “URL Protocol” with a blank value to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\] or [HKEY_CLASSES_ROOT\Chrome]
(they’re one and the same)
“URL Protocol”:””

2. Modify the value of

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command\Default]
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” — %1

3. Use a space in the URL after the // you’re using for your link:

ChromeHTML:// adamfowlerit.com

4. Create this key to remove the prompt on opening the link:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\ChromeHTML]
“WarnOnOpen”=dword:00000000

Here’s the registry settings you can copy and paste into a .reg file and import:

Copy from the next line

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML]
@=”Chrome HTML Document”
“URL Protocol”=””

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\DefaultIcon]
@=”C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe,0″

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command]
@=”\”C:\\Program Files (x86)\\Google\\Chrome\\Application\\Chrome.exe\” — %1″

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\ChromeHTML]
“WarnOnOpen”=dword:00000000

Copy stops above this line

End of update 21st Dec 2016

Answer:
URI Schemes. Any program can be launched using a protocol (you can see which ones you already have in Windows under Control Panel > Default Programs > Associate a file type or protocol with a program > Scroll past all the extensions down to the protocols.

You may have something like ‘MAILTO’ which is used in the format “Mailto:”. Type that into your browser and it will either launch a new email from your default mail client, or ask you to set a default mail client.

Some apps automatically create their own protocol, but you can also create your own through registry entries. Details from MSDN are available here.

Luckily for Chrome, this is already done for you, using ChromeHTML. This means you should be able to call Chrome with “ChromeHTML:” and insert the URL you want after it to open – except it doesn’t work. Chrome will open, but no URL is passed over.

A user has logged this bug with Google several months ago, it hasn’t been fixed. There is a workaround though, that can easily be done via group policy to change a local registry setting.

As this user mentions, a quote needs to be taken out of the following registry key, so it looks like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command]
@="\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" -- %1"

The quote removed was before the % sign.

Once this is done, the ChromeHTML protocol can be used with a URL, as long as it’s in this format:

ChromeHTML:// google.com

Note the space after the slashes.

The next issue you will notice, is that Internet Explorer will most likely prompt when launching the URL, asking ‘Do you want to allow this website to open a program on your computer?’ – there is a tickbox you can remove to ‘Always ask before opening this type of address’ but this can also be suppressed via the registry.

Snapcomms have an article on how to do it with their product, but the same rules apply for Google Chrome, as long as you use the right key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\ChromeHTML]
“WarnOnOpen”=dword:00000000

Once this key exists, the prompt will no longer show for that particular protocol.

That’s it, now you can use a URL link such as “ChromeHTML:// adamfowlerit.com” on your intranet page to launch the website of your choice in Chrome browser.

Update 22nd January 2018

This issue has been marked as ‘Wont fix’ by the Chromium team. This means potentially, they may ‘break this/remove this/anything could happen’ in the future. Please be aware that you’re now doing something unsupported by Google. In November they removed more of the functionality that made this work, for reasons I can’t quite understand!