Reland 65535

Group Policy support for HTTP authentication, already had LGTM from http://codereview.chromium.org/3517018.

BUG=53625
TEST=ConfigurationPolicyPrefStore*

Review URL: http://codereview.chromium.org/4733003
Patch from Jakob Kummerow <jkummerow@google.com>.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65664 0039d316-1c4b-4281-b951-d872f2087c98

14 files changed, 245 insertions, 30 deletions

diff --git a/chrome/app/policy/policy_templates.grd b/chrome/app/policy/policy_templates.grd
index b8cbb24..7f29a0a 100644
--- a/chrome/app/policy/policy_templates.grd
+++ b/chrome/app/policy/policy_templates.grd
@@ -355,6 +355,58 @@ templates and will be translated for each locale. -->
       <ph name="PROXY_HELP_URL">$2<ex>http://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett</ex></ph>
     </message>
 
+    <!-- HTTP Authentication Policy messages -->
+    <message name="IDS_POLICY_HTTPAUTHENTICATION_CAPTION" desc="Caption of the 'HTTPAuthentication' policy group">
+      Policies for HTTP Authentication
+    </message>
+    <message name="IDS_POLICY_HTTPAUTHENTICATION_DESC" desc="Description of the 'HTTPAuthentication' policy group">
+      Policies related to integrated HTTP authentication.
+    </message>
+
+    <message name="IDS_POLICY_AUTHSCHEMES_CAPTION" desc="Caption of the 'supported auth schemes' policy.">
+      Supported authentication schemes
+    </message>
+    <message name="IDS_POLICY_AUTHSCHEMES_DESC" desc="Description of the 'supported auth schemes' policy.">
+      Specifies which HTTP Authentication schemes are supported by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+
+      Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas.
+    </message>
+    <message name="IDS_POLICY_DISABLEAUTHNEGOTIATECNAMELOOKUP_CAPTION" desc="Caption of the 'disable auth negotiate CNAME lookup' policy.">
+      Disable CNAME lookup when negotiating Kerberos authentication
+    </message>
+    <message name="IDS_POLICY_DISABLEAUTHNEGOTIATECNAMELOOKUP_DESC" desc="Description of the 'disable auth negotiate CNAME lookup' policy.">
+      Specifies whether the generated Kerberos SPN is based on the canonical DNS name or the original name entered.
+
+      If you enable this setting, CNAME lookup will be skipped and the server name will be used as entered.
+
+      If you enable this setting, the canonical name of the server will be determined via CNAME lookup.
+    </message>
+    <message name="IDS_POLICY_ENABLEAUTHNEGOTIATEPORT_CAPTION" desc="Caption of the 'enable auth negotiate port' policy.">
+      Include non-standard port in Kerberos SPN
+    </message>
+    <message name="IDS_POLICY_ENABLEAUTHNEGOTIATEPORT_DESC" desc="Description of the 'enable auth negotiate port' policy.">
+      Specifies whether the generated Kerberos SPN should include a non-standard port.
+
+      If you enable this setting, and a non-standard port (i.e., a port other than 80 or 443) is entered, it will be included in the generated Kerberos SPN.
+
+      If you disable this setting, the generated Kerberos SPN will not include a port in any case.
+    </message>
+    <message name="IDS_POLICY_AUTHSERVERWHITELIST_CAPTION" desc="Caption of the 'auth server whitelist' policy.">
+      Authentication server whitelist
+    </message>
+    <message name="IDS_POLICY_AUTHSERVERWHITELIST_DESC" desc="Description of the 'auth server whitelist' policy.">
+      Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> receives an authentication challenge from a proxy or from a server which is in this permitted list.
+
+      Separate multiple server names with commas. Wildcards (*) are allowed.
+    </message>
+    <message name="IDS_POLICY_AUTHNEGOTIATEDELEGATEWHITELIST_CAPTION" desc="Caption of the 'auth negotiate delegate whitelist' policy.">
+      Kerberos delegation server whitelist
+    </message>
+    <message name="IDS_POLICY_AUTHNEGOTIATEDELEGATEWHITELIST_DESC" desc="Description of the 'auth negotiate delegate whitelist' policy.">
+      Servers that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> may delegate to.
+    </message>
+    <!-- End HTTP Authentication Policy messages -->
+
     <message name="IDS_POLICY_METRICSREPORTINGENABLED_CAPTION" desc="Caption of the 'crash reporting' policy.">
       Enable reporting of usage and crash-related data
     </message>
diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json
index 3f3bd47..fa31823 100644
--- a/chrome/app/policy/policy_templates.json
+++ b/chrome/app/policy/policy_templates.json
@@ -305,6 +305,62 @@
       ]
     },
     {
+      'name': 'HTTPAuthentication',
+      'type': 'group',
+      'policies': [
+        {
+          'name': 'AuthSchemes',
+          'type': 'string',
+          'annotations': {
+            'platforms': ['linux', 'mac', 'win'],
+            'products': ['chrome'],
+            'features': {'dynamic_refresh': 0},
+            'example_value': 'basic,digest,ntlm,negotiate',
+          }
+        },
+        {
+          'name': 'DisableAuthNegotiateCnameLookup',
+          'type': 'main',
+          'annotations': {
+            'platforms': ['linux', 'mac', 'win'],
+            'products': ['chrome'],
+            'features': {'dynamic_refresh': 0},
+            'example_value': False,
+          }
+        },
+        {
+          'name': 'EnableAuthNegotiatePort',
+          'type': 'main',
+          'annotations': {
+            'platforms': ['linux', 'mac', 'win'],
+            'products': ['chrome'],
+            'features': {'dynamic_refresh': 0},
+            'example_value': False,
+          }
+        },
+        {
+          'name': 'AuthServerWhitelist',
+          'type': 'string',
+          'annotations': {
+            'platforms': ['linux', 'mac', 'win'],
+            'products': ['chrome'],
+            'features': {'dynamic_refresh': 0},
+            'example_value': '*example.com,foobar.com,*baz',
+          }
+        },
+        {
+          'name': 'AuthNegotiateDelegateWhitelist',
+          'type': 'string',
+          'annotations': {
+            'platforms': ['linux', 'mac', 'win'],
+            'products': ['chrome'],
+            'features': {'dynamic_refresh': 0},
+            'example_value': 'foobar.example.com',
+          }
+        },
+      ]
+    },
+    {
       'name': 'Extensions',
       'type': 'group',
       'policies': [{
diff --git a/chrome/browser/browser_process_impl.cc b/chrome/browser/browser_process_impl.cc
index 6c384d8..4adfd54 100644
--- a/chrome/browser/browser_process_impl.cc
+++ b/chrome/browser/browser_process_impl.cc
@@ -555,7 +555,7 @@ void BrowserProcessImpl::CreateIOThread() {
   background_x11_thread_.swap(background_x11_thread);
 #endif
 
-  scoped_ptr<IOThread> thread(new IOThread);
+  scoped_ptr<IOThread> thread(new IOThread(local_state()));
   base::Thread::Options options;
   options.message_loop_type = MessageLoop::TYPE_IO;
   if (!thread->StartWithOptions(options))
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index b12b7f0..9b7f718 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -4,6 +4,8 @@
 
 #include "chrome/browser/io_thread.h"
 
+#include <vector>
+
 #include "base/command_line.h"
 #include "base/debug/leak_tracker.h"
 #include "base/logging.h"
@@ -21,9 +23,11 @@
 #include "chrome/browser/net/connect_interceptor.h"
 #include "chrome/browser/net/passive_log_collector.h"
 #include "chrome/browser/net/predictor_api.h"
+#include "chrome/browser/prefs/pref_service.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/net/raw_host_resolver_proc.h"
 #include "chrome/common/net/url_fetcher.h"
+#include "chrome/common/pref_names.h"
 #include "net/base/dnsrr_resolver.h"
 #include "net/base/host_cache.h"
 #include "net/base/host_resolver.h"
@@ -207,11 +211,25 @@ IOThread::Globals::Globals() {}
 
 IOThread::Globals::~Globals() {}
 
-IOThread::IOThread()
+// |local_state| is passed in explicitly in order to (1) reduce implicit
+// dependencies and (2) make IOThread more flexible for testing.
+IOThread::IOThread(PrefService* local_state)
     : BrowserProcessSubThread(BrowserThread::IO),
       globals_(NULL),
       speculative_interceptor_(NULL),
-      predictor_(NULL) {}
+      predictor_(NULL) {
+  // We call RegisterPrefs() here (instead of inside browser_prefs.cc) to make
+  // sure that everything is initialized in the right order.
+  RegisterPrefs(local_state);
+  auth_schemes_ = local_state->GetString(prefs::kAuthSchemes);
+  negotiate_disable_cname_lookup_ = local_state->GetBoolean(
+      prefs::kDisableAuthNegotiateCnameLookup);
+  negotiate_enable_port_ = local_state->GetBoolean(
+      prefs::kEnableAuthNegotiatePort);
+  auth_server_whitelist_ = local_state->GetString(prefs::kAuthServerWhitelist);
+  auth_delegate_whitelist_ = local_state->GetString(
+      prefs::kAuthNegotiateDelegateWhitelist);
+}
 
 IOThread::~IOThread() {
   // We cannot rely on our base class to stop the thread since we want our
@@ -401,41 +419,36 @@ void IOThread::CleanUpAfterMessageLoopDestruction() {
   base::debug::LeakTracker<URLRequest>::CheckForLeaks();
 }
 
+// static
+void IOThread::RegisterPrefs(PrefService* local_state) {
+  local_state->RegisterStringPref(prefs::kAuthSchemes,
+                                  "basic,digest,ntlm,negotiate");
+  local_state->RegisterBooleanPref(prefs::kDisableAuthNegotiateCnameLookup,
+                                   false);
+  local_state->RegisterBooleanPref(prefs::kEnableAuthNegotiatePort, false);
+  local_state->RegisterStringPref(prefs::kAuthServerWhitelist, "");
+  local_state->RegisterStringPref(prefs::kAuthNegotiateDelegateWhitelist, "");
+}
+
 net::HttpAuthHandlerFactory* IOThread::CreateDefaultAuthHandlerFactory(
     net::HostResolver* resolver) {
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
 
-  // Get the whitelist information from the command line, create an
-  // HttpAuthFilterWhitelist, and attach it to the HttpAuthHandlerFactory.
-  net::HttpAuthFilterWhitelist* auth_filter_default_credentials = NULL;
-  if (command_line.HasSwitch(switches::kAuthServerWhitelist)) {
-    auth_filter_default_credentials = new net::HttpAuthFilterWhitelist(
-        command_line.GetSwitchValueASCII(switches::kAuthServerWhitelist));
-  }
-  net::HttpAuthFilterWhitelist* auth_filter_delegate = NULL;
-  if (command_line.HasSwitch(switches::kAuthNegotiateDelegateWhitelist)) {
-    auth_filter_delegate = new net::HttpAuthFilterWhitelist(
-        command_line.GetSwitchValueASCII(
-            switches::kAuthNegotiateDelegateWhitelist));
-  }
+  net::HttpAuthFilterWhitelist* auth_filter_default_credentials =
+      new net::HttpAuthFilterWhitelist(auth_server_whitelist_);
+  net::HttpAuthFilterWhitelist* auth_filter_delegate =
+      new net::HttpAuthFilterWhitelist(auth_delegate_whitelist_);
   globals_->url_security_manager.reset(
       net::URLSecurityManager::Create(auth_filter_default_credentials,
                                       auth_filter_delegate));
-
-  // Determine which schemes are supported.
-  std::string csv_auth_schemes = "basic,digest,ntlm,negotiate";
-  if (command_line.HasSwitch(switches::kAuthSchemes))
-    csv_auth_schemes = StringToLowerASCII(
-        command_line.GetSwitchValueASCII(switches::kAuthSchemes));
   std::vector<std::string> supported_schemes;
-  base::SplitString(csv_auth_schemes, ',', &supported_schemes);
+  base::SplitString(auth_schemes_, ',', &supported_schemes);
 
   return net::HttpAuthHandlerRegistryFactory::Create(
       supported_schemes,
       globals_->url_security_manager.get(),
       resolver,
-      command_line.HasSwitch(switches::kDisableAuthNegotiateCnameLookup),
-      command_line.HasSwitch(switches::kEnableAuthNegotiatePort));
+      negotiate_disable_cname_lookup_,
+      negotiate_enable_port_);
 }
 
 void IOThread::InitNetworkPredictorOnIOThread(
diff --git a/chrome/browser/io_thread.h b/chrome/browser/io_thread.h
index 99cb281..4bc63cda 100644
--- a/chrome/browser/io_thread.h
+++ b/chrome/browser/io_thread.h
@@ -8,6 +8,7 @@
 
 #include <list>
 #include <set>
+#include <string>
 #include "base/basictypes.h"
 #include "base/ref_counted.h"
 #include "base/scoped_ptr.h"
@@ -19,6 +20,7 @@
 class ChromeNetLog;
 class ChromeURLRequestContextGetter;
 class ListValue;
+class PrefService;
 class URLRequestContext;
 
 namespace chrome_browser_net {
@@ -48,7 +50,7 @@ class IOThread : public BrowserProcessSubThread {
     ChromeNetworkDelegate network_delegate;
   };
 
-  IOThread();
+  explicit IOThread(PrefService* local_state);
 
   virtual ~IOThread();
 
@@ -102,6 +104,8 @@ class IOThread : public BrowserProcessSubThread {
   class ManagedProxyScriptFetcher;
   typedef std::set<ManagedProxyScriptFetcher*> ProxyScriptFetchers;
 
+  static void RegisterPrefs(PrefService* local_state);
+
   net::HttpAuthHandlerFactory* CreateDefaultAuthHandlerFactory(
       net::HostResolver* resolver);
 
@@ -134,6 +138,13 @@ class IOThread : public BrowserProcessSubThread {
   // Observer that logs network changes to the ChromeNetLog.
   scoped_ptr<net::NetworkChangeNotifier::Observer> network_change_observer_;
 
+  // Store HTTP Auth-related policies in this thread.
+  std::string auth_schemes_;
+  bool negotiate_disable_cname_lookup_;
+  bool negotiate_enable_port_;
+  std::string auth_server_whitelist_;
+  std::string auth_delegate_whitelist_;
+
   // These member variables are initialized by a task posted to the IO thread,
   // which gets posted by calling certain member functions of IOThread.
 
diff --git a/chrome/browser/net/connection_tester_unittest.cc b/chrome/browser/net/connection_tester_unittest.cc
index 4191484..af505d8 100644
--- a/chrome/browser/net/connection_tester_unittest.cc
+++ b/chrome/browser/net/connection_tester_unittest.cc
@@ -5,6 +5,7 @@
 #include "chrome/browser/net/connection_tester.h"
 
 #include "chrome/browser/io_thread.h"
+#include "chrome/test/testing_pref_service.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/test/test_server.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -75,7 +76,8 @@ class ConnectionTesterTest : public PlatformTest {
   ConnectionTesterTest()
       : test_server_(net::TestServer::TYPE_HTTP,
             FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))),
-        message_loop_(MessageLoop::TYPE_IO) {
+        message_loop_(MessageLoop::TYPE_IO),
+        io_thread_(new TestingPrefService()) {
     scoped_refptr<net::RuleBasedHostResolverProc> catchall_resolver(
         new net::RuleBasedHostResolverProc(NULL));
 
diff --git a/chrome/browser/policy/configuration_policy_pref_store.cc b/chrome/browser/policy/configuration_policy_pref_store.cc
index 5b46c56..3d73182 100644
--- a/chrome/browser/policy/configuration_policy_pref_store.cc
+++ b/chrome/browser/policy/configuration_policy_pref_store.cc
@@ -155,6 +155,16 @@ const ConfigurationPolicyPrefStore::PolicyToPreferenceMapEntry
     prefs::kDevToolsDisabled },
   { Value::TYPE_BOOLEAN, kPolicyBlockThirdPartyCookies,
     prefs::kBlockThirdPartyCookies},
+  { Value::TYPE_STRING, kPolicyAuthSchemes,
+    prefs::kAuthSchemes },
+  { Value::TYPE_BOOLEAN, kPolicyDisableAuthNegotiateCnameLookup,
+    prefs::kDisableAuthNegotiateCnameLookup },
+  { Value::TYPE_BOOLEAN, kPolicyEnableAuthNegotiatePort,
+    prefs::kEnableAuthNegotiatePort },
+  { Value::TYPE_STRING, kPolicyAuthServerWhitelist,
+    prefs::kAuthServerWhitelist },
+  { Value::TYPE_STRING, kPolicyAuthNegotiateDelegateWhitelist,
+    prefs::kAuthNegotiateDelegateWhitelist },
 
 #if defined(OS_CHROMEOS)
   { Value::TYPE_BOOLEAN, kPolicyChromeOsLockOnIdleSuspend,
@@ -250,6 +260,15 @@ ConfigurationPolicyPrefStore::GetChromePolicyDefinitionList() {
       key::kDeveloperToolsDisabled },
     { kPolicyBlockThirdPartyCookies, Value::TYPE_BOOLEAN,
       key::kBlockThirdPartyCookies },
+    { kPolicyAuthSchemes, Value::TYPE_STRING, key::kAuthSchemes },
+    { kPolicyDisableAuthNegotiateCnameLookup, Value::TYPE_BOOLEAN,
+      key::kDisableAuthNegotiateCnameLookup },
+    { kPolicyEnableAuthNegotiatePort, Value::TYPE_BOOLEAN,
+      key::kEnableAuthNegotiatePort },
+    { kPolicyAuthServerWhitelist, Value::TYPE_STRING,
+      key::kAuthServerWhitelist },
+    { kPolicyAuthNegotiateDelegateWhitelist, Value::TYPE_STRING,
+      key::kAuthNegotiateDelegateWhitelist },
 
 #if defined(OS_CHROMEOS)
     { kPolicyChromeOsLockOnIdleSuspend, Value::TYPE_BOOLEAN,
diff --git a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
index 0809c00..1940b73 100644
--- a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
+++ b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
@@ -106,7 +106,15 @@ INSTANTIATE_TEST_CASE_P(
         TypeAndName(kPolicyProxyBypassList,
                     prefs::kProxyBypassList),
         TypeAndName(kPolicyApplicationLocale,
-                    prefs::kApplicationLocale)));
+                    prefs::kApplicationLocale),
+        TypeAndName(kPolicyApplicationLocale,
+                    prefs::kApplicationLocale),
+        TypeAndName(kPolicyAuthSchemes,
+                    prefs::kAuthSchemes),
+        TypeAndName(kPolicyAuthServerWhitelist,
+                    prefs::kAuthServerWhitelist),
+        TypeAndName(kPolicyAuthNegotiateDelegateWhitelist,
+                    prefs::kAuthNegotiateDelegateWhitelist)));
 
 // Test cases for boolean-valued policy settings.
 class ConfigurationPolicyPrefStoreBooleanTest
@@ -161,7 +169,13 @@ INSTANTIATE_TEST_CASE_P(
         TypeAndName(kPolicyJavascriptEnabled,
                     prefs::kWebKitJavascriptEnabled),
         TypeAndName(kPolicySavingBrowserHistoryDisabled,
-                    prefs::kSavingBrowserHistoryDisabled)));
+                    prefs::kSavingBrowserHistoryDisabled),
+        TypeAndName(kPolicySavingBrowserHistoryDisabled,
+                    prefs::kSavingBrowserHistoryDisabled),
+        TypeAndName(kPolicyDisableAuthNegotiateCnameLookup,
+                    prefs::kDisableAuthNegotiateCnameLookup),
+        TypeAndName(kPolicyEnableAuthNegotiatePort,
+                    prefs::kEnableAuthNegotiatePort)));
 
 #if defined(OS_CHROMEOS)
 INSTANTIATE_TEST_CASE_P(
diff --git a/chrome/browser/policy/configuration_policy_store_interface.h b/chrome/browser/policy/configuration_policy_store_interface.h
index 7bdcf74..cd28771 100644
--- a/chrome/browser/policy/configuration_policy_store_interface.h
+++ b/chrome/browser/policy/configuration_policy_store_interface.h
@@ -53,6 +53,12 @@ enum ConfigurationPolicyType {
   kPolicyBlockThirdPartyCookies,
   kPolicyExtensionInstallForceList,
   kPolicyChromeOsLockOnIdleSuspend,
+  kPolicyAuthSchemes,
+  kPolicyDisableAuthNegotiateCnameLookup,
+  kPolicyEnableAuthNegotiatePort,
+  kPolicyAuthServerWhitelist,
+  kPolicyAuthNegotiateDelegateWhitelist,
+
 };
 
 static const int kPolicyNoProxyServerMode = 0;
diff --git a/chrome/browser/prefs/command_line_pref_store.cc b/chrome/browser/prefs/command_line_pref_store.cc
index 5a9a7eb..f5c146d 100644
--- a/chrome/browser/prefs/command_line_pref_store.cc
+++ b/chrome/browser/prefs/command_line_pref_store.cc
@@ -16,12 +16,20 @@ const CommandLinePrefStore::StringSwitchToPreferenceMapEntry
       { switches::kProxyServer, prefs::kProxyServer },
       { switches::kProxyPacUrl, prefs::kProxyPacUrl },
       { switches::kProxyBypassList, prefs::kProxyBypassList },
+      { switches::kAuthSchemes, prefs::kAuthSchemes },
+      { switches::kAuthServerWhitelist, prefs::kAuthServerWhitelist },
+      { switches::kAuthNegotiateDelegateWhitelist,
+          prefs::kAuthNegotiateDelegateWhitelist },
 };
 
 const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry
     CommandLinePrefStore::boolean_switch_map_[] = {
       { switches::kNoProxyServer, prefs::kNoProxyServer, true },
       { switches::kProxyAutoDetect, prefs::kProxyAutoDetect, true },
+      { switches::kDisableAuthNegotiateCnameLookup,
+          prefs::kDisableAuthNegotiateCnameLookup, true },
+      { switches::kEnableAuthNegotiatePort, prefs::kEnableAuthNegotiatePort,
+          true },
 };
 
 CommandLinePrefStore::CommandLinePrefStore(const CommandLine* command_line)
diff --git a/chrome/common/policy_constants.cc b/chrome/common/policy_constants.cc
index f56f2b2..5eb5998 100644
--- a/chrome/common/policy_constants.cc
+++ b/chrome/common/policy_constants.cc
@@ -57,6 +57,12 @@ const char kJavascriptEnabled[] = "JavascriptEnabled";
 const char kSavingBrowserHistoryDisabled[] = "SavingBrowserHistoryDisabled";
 const char kDeveloperToolsDisabled[] = "DeveloperToolsDisabled";
 const char kBlockThirdPartyCookies[] = "BlockThirdPartyCookies";
+const char kAuthSchemes[] = "AuthSchemes";
+const char kDisableAuthNegotiateCnameLookup[] =
+    "DisableAuthNegotiateCnameLookup";
+const char kEnableAuthNegotiatePort[] = "EnableAuthNegotiatePort";
+const char kAuthServerWhitelist[] = "AuthServerWhitelist";
+const char kAuthNegotiateDelegateWhitelist[] = "AuthNegotiateDelegateWhitelist";
 
 // Chrome Frame specific policy constants
 const char kChromeFrameRendererSettings[] = "ChromeFrameRendererSettings";
diff --git a/chrome/common/policy_constants.h b/chrome/common/policy_constants.h
index 1bff710..e0244e0 100644
--- a/chrome/common/policy_constants.h
+++ b/chrome/common/policy_constants.h
@@ -54,6 +54,11 @@ extern const char kJavascriptEnabled[];
 extern const char kSavingBrowserHistoryDisabled[];
 extern const char kDeveloperToolsDisabled[];
 extern const char kBlockThirdPartyCookies[];
+extern const char kAuthSchemes[];
+extern const char kDisableAuthNegotiateCnameLookup[];
+extern const char kEnableAuthNegotiatePort[];
+extern const char kAuthServerWhitelist[];
+extern const char kAuthNegotiateDelegateWhitelist[];
 
 // Chrome Frame specific policy constants
 extern const char kChromeFrameRendererSettings[];
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index 9c91912..d809dfd 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -1025,6 +1025,23 @@ const char kRemotingHasSetupCompleted[] = "remoting.has_setup_completed";
 // launches.
 const char kRegisteredBackgroundContents[] = "background_contents.registered";
 
+// String that lists supported HTTP authentication schemes.
+const char kAuthSchemes[] = "auth.schemes";
+
+// Boolean that specifies whether to disable CNAME lookups when generating
+// Kerberos SPN.
+const char kDisableAuthNegotiateCnameLookup[] =
+    "auth.disable_negotiate_cname_lookup";
+// Boolean that specifies whether to include the port in a generated Kerberos
+// SPN.
+const char kEnableAuthNegotiatePort[] = "auth.enable_negotiate_port";
+// Whitelist containing servers for which Integrated Authentication is enabled.
+const char kAuthServerWhitelist[] = "auth.server_whitelist";
+// Whitelist containing servers Chrome is allowed to do Kerberos delegation
+// with.
+const char kAuthNegotiateDelegateWhitelist[] =
+    "auth.negotiate_delegate_whitelist";
+
 #if defined(OS_CHROMEOS)
 // Dictionary for transient storage of settings that should go into signed
 // settings storage before owner has been assigned.
diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
index 0d5275c..6200467 100644
--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -400,6 +400,12 @@ extern const char kSignedSettingsTempStorage[];
 
 extern const char kRegisteredBackgroundContents[];
 
+extern const char kAuthSchemes[];
+extern const char kDisableAuthNegotiateCnameLookup[];
+extern const char kEnableAuthNegotiatePort[];
+extern const char kAuthServerWhitelist[];
+extern const char kAuthNegotiateDelegateWhitelist[];
+
 }  // namespace prefs
 
 #endif  // CHROME_COMMON_PREF_NAMES_H_