Edit

Share via


DisableAuthNegotiateCnameLookup

Disable CNAME lookup when negotiating Kerberos authentication

Supported versions

  • On Windows and macOS since 77 or later

Description

Determines whether the generated Kerberos SPN is based on the canonical DNS name (CNAME) or on the original name entered.

If you enable this policy, CNAME lookup is skipped and the server name (as entered) is used.

If you disable this policy or don't configure it, the canonical name of the server is used. This is determined through CNAME lookup.

Supported features

  • Can be mandatory: Yes
  • Can be recommended: No
  • Dynamic Policy Refresh: No - Requires browser restart
  • Per Profile: No
  • Applies to a profile that is signed in with a Microsoft account: Yes

Data type

  • Boolean

Windows information and settings

Group Policy (ADMX) info

  • GP unique name: DisableAuthNegotiateCnameLookup
  • GP name: Disable CNAME lookup when negotiating Kerberos authentication
  • GP path (Mandatory): Administrative Templates/Microsoft Edge/HTTP authentication
  • GP path (Recommended): N/A
  • GP ADMX file name: MSEdge.admx

Example value

Disabled

Registry settings

  • Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
  • Path (Recommended): N/A
  • Value name: DisableAuthNegotiateCnameLookup
  • Value type: REG_DWORD

Example registry value

0x00000000

Mac information and settings

  • Preference Key name: DisableAuthNegotiateCnameLookup
  • Example value:
<false/>

See also