Lion 10.7.2 and proxy authentication box

Not applicable

Hi Casper users,

We've created a Lion 10.7.2 image configuration, which deploys fine thanks to the many great suggestions made on this list. However, what we've found is that on any imaged Mac a "proxy authentication required" box appears soon after login. Its quite a nuisance and what makes matters worse is that if you click the Cancel button the dialog box reappears. It won't go away unless you enter login details twice.

The dialog box comes from a process called "UserNotificationCenter". Has anyone found this behaviour too, and if so is there any way to prevent this proxy dialog box from popping up? There is no obvious clue either which application is initiating it.

Kind regards,

Ron.

17 REPLIES 17

Janowski
New Contributor II

We are experiencing the same thing here.

--missing content--

CoreServices > HelpViewer. We think it's trying to call out for updates to

the Help documents and that it's now "proxy aware" so it knows enough to
prompt the user...

The real issue for us, is that if you authenticate to this a couple times to
get it to go away, it logs the credentials in a keychain. It doesn't tell
you it's doing it and there is no checkbox to "remember password" that can
be toggled. In our environment, users will have to change this password
every 90 days... so we expect them all to be locked out after a password
change, because they won't know to sync with their keychains...

We're entertaining the idea of a login script that just whacks the
login.keychain file... which is brutish and kinda lame... but better than
users being locked out all the time.

We're also don't currently bind our machines to AD. But even when we do in a
test environment, our kerberos TGTs don't hand off the credentials to this
beast... we can mount servers with it and what not, so we know the TGT is
good... for some things..

This authenticating proxy is the bane of our existence....

I'll be tuning in to this thread for sure! Here's to hoping someone else has
gotten a little further than we have :)

*ben** janowski*
Senior Macintosh Support Technician
*Kohl's Mac Support Team *| 262.703.1396

On Fri, Oct 28, 2011 at 2:05 AM, Ron GRUNWALD <ron.grunwald at ecu.edu.au>wrote:

Hi Casper users, We've created a Lion 10.7.2 image configuration, which deploys fine thanks to the many great suggestions made on this list. However, what we've found is that on any imaged Mac a "proxy authentication required" box appears soon after login. Its quite a nuisance and what makes matters worse is that if you click the Cancel button the dialog box reappears. It won't go away unless you enter login details twice. The dialog box comes from a process called "UserNotificationCenter". Has anyone found this behaviour too, and if so is there any way to prevent this proxy dialog box from popping up? There is no obvious clue either which application is initiating it. Kind regards, Ron. ** Author : Ron Grunwald Department : IT Desktop Services Organisation: Edith Cowan University Faculty : ITSC / ITSS Location : Joondalup, Western Australia Email : ron.grunwald at ecu.edu.au Alt. Email : rongrw at yahoo.com.au Telephone : 6304 3629 Mobile Ph. : 0439 016 746 ** "They who play with root will eventually kill tree !"
This e-mail is confidential. If you are not the intended recipient you must not disclose or use the information contained within. If you have received it in error please return it to the sender via reply e-mail and delete any record of it from your system. The information contained within is not the opinion of Edith Cowan University in general and the University accepts no liability for the accuracy of the information provided. CRICOS IPC 00279B
Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper

--20cf3071cf5e4805f304b05c3ba2
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

We are experiencing the same thing here. <br><br>From what we are seeing, i
t might have something to do with System &gt; Library &gt; CoreServices &gt
; HelpViewer. We think it&#39;s trying to call out for updates to the Help documents and that it&#39;s now &quot;proxy aware&quot; so it knows enough to prompt the user...<br>
<br>The real issue for us, is that if you authenticate to this a couple tim
es to get it to go away, it logs the credentials in a keychain. It doesn&#3
9;t tell you it&#39;s doing it and there is no checkbox to &quot;remember p
assword&quot; that can be toggled. In our environment, users will have to c
hange this password every 90 days... so we expect them all to be locked out after a password change, because they won&#39;t know to sync with their ke
ychains...<br>
<br>We&#39;re entertaining the idea of a login script that just whacks the login.keychain file... which is brutish and kinda lame... but better than u
sers being locked out all the time. <br><br>We&#39;re also don&#39;t curren
tly bind our machines to AD. But even when we do in a test environment, our kerberos TGTs don&#39;t hand off the credentials to this beast... we can m
ount servers with it and what not, so we know the TGT is good... for some t
hings..<br>
<br>This authenticating proxy is the bane of our existence....<br><br>I&#39
;ll be tuning in to this thread for sure! Here&#39;s to hoping someone else has gotten a little further than we have :)<br clear"all">

<p><font color"#339999"><span><b>ben</b></span><span><b> janowski</b></s
pan></font><br><font color"#999999">
<font size"1">Senior Macintosh Support Technician</font></font><br>
<font color"#999999" size"1"><span><b>Kohl&#39;s Mac Support Team=A0<
/b></span>| 262.703.</font><font color"#339999" size"1">1396=A0</font

</p><br>

<br><br><div class"gmail_quote">On Fri, Oct 28, 2011 at 2:05 AM, Ron GRU
NWALD <span dir"ltr">&lt;<a href"mailto:ron.grunwald at ecu.edu.au">ron.
grunwald at ecu.edu.au</a>&gt;</span> wrote:<br><blockquote class"gmail_quo
te" style"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;
">
Hi Casper users,<br>
<br>
We&#39;ve created a Lion 10.7.2 image configuration, which deploys fine tha
nks to the many great suggestions made on this list. However, what we&#39;v
e found is that on any imaged Mac a &quot;proxy authentication required&quo
t; box appears soon after login. Its quite a nuisance and what makes matter
s worse is that if you click the Cancel button the dialog box reappears. It won&#39;t go away unless you enter login details twice.<br>

<br>
The dialog box comes from a process called &quot;UserNotificationCenter&quo
t;. Has anyone found this behaviour too, and if so is there any way to prev
ent this proxy dialog box from popping up? There is no obvious clue either which application is initiating it.<br>

<br>
Kind regards,<br>
<br>
Ron.<br>

Not applicable

Same to us.
We have to authenticate at the proxy and we don't bind our macs to AD. Our work-around: At first we lock-in at the proxy with Firefox and the add-on AutoAuth, then this bad "proxy authentication required" box don't appears any longer. For that Firefox has become a start-object. After one month, you have to renew the pw, but that's ok.

Juergen Herzog

benjamin.janowski at kohls.com Gesendet von: casper-bounces at list.jamfsoftware.com
28.10.2011 15:55

An
casper at list.jamfsoftware.com, Kopie

Thema
Re: [Casper] Lion 10.7.2 and proxy authentication box

We are experiencing the same thing here.

--missing content--

Library > CoreServices > HelpViewer. We think it's trying to call out for
updates to the Help documents and that it's now "proxy aware" so it knows
enough to prompt the user...

The real issue for us, is that if you authenticate to this a couple times
to get it to go away, it logs the credentials in a keychain. It doesn't
tell you it's doing it and there is no checkbox to "remember password"
that can be toggled. In our environment, users will have to change this
password every 90 days... so we expect them all to be locked out after a
password change, because they won't know to sync with their keychains...

We're entertaining the idea of a login script that just whacks the
login.keychain file... which is brutish and kinda lame... but better than
users being locked out all the time.

We're also don't currently bind our machines to AD. But even when we do in

a test environment, our kerberos TGTs don't hand off the credentials to
this beast... we can mount servers with it and what not, so we know the
TGT is good... for some things..

This authenticating proxy is the bane of our existence....

I'll be tuning in to this thread for sure! Here's to hoping someone else
has gotten a little further than we have :)
ben janowski
Senior Macintosh Support Technician
Kohl's Mac Support Team | 262.703.1396

On Fri, Oct 28, 2011 at 2:05 AM, Ron GRUNWALD <ron.grunwald at ecu.edu.au> wrote:
Hi Casper users,

We've created a Lion 10.7.2 image configuration, which deploys fine thanks

to the many great suggestions made on this list. However, what we've found

is that on any imaged Mac a "proxy authentication required" box appears
soon after login. Its quite a nuisance and what makes matters worse is
that if you click the Cancel button the dialog box reappears. It won't go
away unless you enter login details twice.

The dialog box comes from a process called "UserNotificationCenter". Has
anyone found this behaviour too, and if so is there any way to prevent
this proxy dialog box from popping up? There is no obvious clue either
which application is initiating it.

Kind regards,

Ron.

--missing content--

Library &gt; CoreServices &gt; HelpViewer. We think it's trying to call
out for updates to the Help documents and that it's now &quot;proxy aware&q
uot;
so it knows enough to prompt the user...<br><br>The real issue for us, is t
hat if you authenticate to this a couple times
to get it to go away, it logs the credentials in a keychain. It doesn't
tell you it's doing it and there is no checkbox to &quot;remember password&
quot;
that can be toggled. In our environment, users will have to change this
password every 90 days... so we expect them all to be locked out after
a password change, because they won't know to sync with their keychains...<
br><br>We're entertaining the idea of a login script that just whacks the l
ogin.keychain
file... which is brutish and kinda lame... but better than users being
locked out all the time. <br><br>We're also don't currently bind our machin
es to AD. But even when we do
in a test environment, our kerberos TGTs don't hand off the credentials
to this beast... we can mount servers with it and what not, so we know
the TGT is good... for some things..<br><br>This authenticating proxy is th
e bane of our existence....<br><br>I'll be tuning in to this thread for sur
e! Here's to hoping someone else
has gotten a little further than we have :)</font><p><font size3 color
#3f8080><b>ben janowski</b></font><font size1 color#a2a2a2><br>Sen
ior Macintosh Support Technician<b><br>Kohl's Mac Support Team&nbsp;</b>| 2
62.703.</font><font size1 color#3f8080>1396&nbsp;</font><p><font size
3><br><br></font><br><font size3>On Fri, Oct 28, 2011 at 2:05 AM, Ron GRUNWALD &lt;</font><a hrefmailto:ron.grunwald at ecu.edu.au><font size
3 colorblue><u>ron.grunwald at ecu.edu.au</u></font></a><font size3>&gt;
wrote:</font><br><font size3>Hi Casper users,<br><br>We've created a Lio
n 10.7.2 image configuration, which deploys fine thanks
to the many great suggestions made on this list. However, what we've found
is that on any imaged Mac a &quot;proxy authentication required&quot; box
appears soon after login. Its quite a nuisance and what makes matters worse
is that if you click the Cancel button the dialog box reappears. It won't
go away unless you enter login details twice.<br><br>The dialog box comes f
rom a process called &quot;UserNotificationCenter&quot;.
Has anyone found this behaviour too, and if so is there any way to prevent
this proxy dialog box from popping up? There is no obvious clue either
which application is initiating it.<br><br>Kind regards,<br><br>Ron.<br>*
*
<br>Author &nbsp; &nbsp; &nbsp;: Ron Grunwald<br>Department &nbsp;: IT Desktop Services<br>Organisat
ion: Edith Cowan University<br>Faculty &nbsp; &nbsp; : ITSC / ITSS<br>Locat
ion &nbsp; &nbsp;: Joondalup, Western Australia<br>Email &nbsp; &nbsp; &nbs
p; : </font><a hrefmailto:ron.grunwald at ecu.edu.au><font size3 color
blue><u>ron.grunwald at ecu.edu.au</u></font></a><font size3><br>Alt. Em
ail &nbsp;: </font><a hrefmailto:rongrw at yahoo.com.au><font size3 colo
rblue><u>rongrw at yahoo.com.au</u></font></a><font size3><br>Telephone &nbsp; : 6304 3629<br>Mobile Ph. &nbsp;: 0439 016 746<br>
*
***<br>&quot;They who play with root will e
ventually kill tree !&quot;<br><br><br>=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br>This e-mail is confidential. If you are not the intended recipient you
must not disclose or use the information contained within. If you have
received it in error please return it to the sender via reply e-mail and
delete any record of it from your system. The information contained within
is not the opinion of Edith Cowan University in general and the University
accepts no liability for the accuracy of the information provided.<br><br>C
RICOS IPC 00279B<br>=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
=5F=5F=5F=5F<br>Casper mailing list</font><font size3 colorblue><u><b
r></u></font><a hrefmailto:Casper at list.jamfsoftware.com><font size3 c
olorblue><u>Casper at list.jamfsoftware.com</u></font></a><font size3 co
lorblue><u><br></u></font><a hrefhttp://list.jamfsoftware.com/mailman
/listinfo/casper target=5Fblank><font size3 colorblue><u>http://li
st.jamfsoftware.com/mailman/listinfo/casper</u></font></a><br><tt><font siz
e2>=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br

Casper mailing list<br>Casper at list.jamfsoftware.com<br></font></tt><a href

http://list.jamfsoftware.com/mailman/listinfo/casper><tt><font size2>
http://list.jamfsoftware.com/mailman/listinfo/casper</font></tt></a><tt><fo
nt size2><br></font></tt><br><font face"sans-serif"><font face"san
s-serif, Arial, Helvetica" size"-1" color"#808080"><br>If you are not the intended addressee, please inform us immediately that you have receive
d this e-mail in error, and delete it. We thank you for your cooperation.
<br></br>

</font></font>

--=alternative 004DED5CC1257937=--

tkimpton
Valued Contributor II

Hi Ron

Try this. Its a launch daemon causing the problem. I'm going to create a launch daemons that runs a script to unload it.

http://forums.macrumors.com/showthread.php?t=1141582

Not applicable

Hi Tim,

Thank you very much for your reply. I havn't been able to confirm this as working yet because of a rather nasty login issue that has surfaced. For the benefit of others, Tim's advice to eliminate the proxy authentication box is to execute the command:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist

I've created a startup policy around this command and will post the results once this login issue is resolved.

Cheers, Ron.

noah_swanson
New Contributor

Glad I'm not the only one. I posted on this a while ago. I ran a few network traces and have our proxy team looking through them. At first I saw a bunch of failed authentication to helposx.apple.com:443 and help.apple.com:443.

I'm trying to get rid of this but can't seem to get much progress. I've disabled and deleted RSS feeds and top sites thinking it may be that (even though I'll get the prompt just sitting at the finder).

Let me know if you stumble across any other remedies or resolutions.

Thanks,
Noah

Not applicable

Hi all,

The command posted below works on our Lion image perfectly. No proxy authentication boxes are appearing anymore. At this stage I'm happy to deploy the Casper policy to control this, but I'm slightly uncertain if this will cause any side effects to the system. For one, I can see a number of "proxy authentication required" messages in the system.log stemming from AuthBrokerAgent.

The Casper policy that I've created is below:

![external image link](attachments/38010b20241b43d9b76703b9d6b9ad9c)

Cheers, Ron.

noah_swanson
New Contributor

I should add that I no longer get the prompt unless I launch Safari. So then I get the Safari Proxy Prompt then the one from finder.

Joy...

Janowski
New Contributor II

I'm guessing that this will block all pop ups - so the side effects would
be no more notices that you are running on battery power, that your boot
disk is almost full, etc.

I might give this a run in our test environment just to see...

thanks for sharing!

*ben** janowski*
Senior Macintosh Support Technician
*Kohl's Mac Support Team *| 262.703.1396

noah_swanson
New Contributor

Okay...I built a pretty slimmed machine, no JSS, no mcafee, no AD, no nothing...This way I'll have minimum chatter when doing a network trace (http://support.apple.com/kb/HT3994).

The trace was originally full of rss feeds, so I wiped those out. Then it was autofilling "top sites". I wiped those out as well.

As I run it now, I only get the prompt once and judging from the trace it's trying to get out to:
http://configuration.apple.com/configurations/internetservices/safari/ConfigurationsMac-5.1.1.plist....

If you go to that site, it's basically a plist of all the trusted search providers and their multi lingual counterparts (google, bing, yahoo).

The other thing I see is a HTTP pose to http://safebrowsing.clients.google.com/safebrowsing/downloads?pver=2.2&client=Safari&appver=5.1.1

Not sure what to make of those. Maybe someone else on here has some ideas.

The biggest thing is that they're hitting a separate proxy prompt outside of Safari...

Thanks,
Noah

noah_swanson
New Contributor

Alright...looking though the system log and around the time I did my network trace and had this prompt there was an entry that said: 1:38:52 PM sandboxd: ([831]) WebProcess(813) deny mach-lookup com.apple.cfnetwork.AuthBrokerAgent

I disabled this: sudo launchctl unload "/System/Library/LaunchAgents/com.apple.cfnetwork.AuthBrokerAgent.plist" and the prompt went away!

I can't find too much documentation to see if this is something that is required, but I did some basic stuff on the machine, connected to servers, browsed the web, browsed finder, etc... and didn't notice anything adverse. I'll do more testing on a fresh build and see what all is actually required from my notes. I'll surely send an update when I do.

Thanks,
Noah

talkingmoose
Moderator
Moderator

Looks like disabling it should be benign according to the description in
On 11/4/11 3:13 PM, "Swanson Noah" <SwansonNoah at JohnDeere.com> wrote:
this forum:

http://forums.macrumors.com/archive/index.php/.../t-1200858.html

I would get a constant slow trickle of problem reports with Safari trying
to store passwords for users. It only confused them when their login
password changed every 90 days. I resolved this by using MCX (Casper's
Managed Preferences) to disable items in Safari menu --> Preferences...
--> AutoFill. I wonder if this would resolve the issue in Lion as well.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

noah_swanson
New Contributor

Autofill was disabled before and still flagged the prompt.

On a new clean built system, disabling "/System/Library/LaunchAgents/com.apple.cfnetwork.AuthBrokerAgent.plist" worked like a charm! I just moved it to "/System/Library/LaunchAgents_Disabled/" for safe keepings.

Hope this helps you guys out.

Thanks,
Noah Swanson Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com

cdenoia
New Contributor

We are also experiencing the same annoyance with consistent Proxy Prompts on 10.7. Has anyone found the culprit?

Best,
Chris

Christopher A. DeNoia
Network Administrator
Pascack Valley Regional High School District
c/o Pascack Hills High School
225 W. Grand Ave.
Montvale, NJ 07645
Phone: (201) 358-7020 X2260
email: cdenoia@pascack.k12.nj.us http://www.pascack.k12.nj.us

cdenoia
New Contributor

So far Ron's solution is accurate, no apparent side effects.
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist

tkimpton
Valued Contributor II

Unloading it didn't wasn't enough because it comes back after a reboot. I moved it to another location and now all is good

craig_george
New Contributor

@Noah_Swanson..

What is the exact script you configured in Casper?

craig_george
New Contributor

@TKIMPTON - what script exactly is the one to use, sorry the thread is a bit confusing.

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist or

sudo launchctl unload "/System/Library/LaunchAgents/com.apple.cfnetwork.AuthBrokerAgent.plist"