Posted on 07-28-2016 05:16 AM
So at work were currently at 10.10.5 on all our machines (big push to 10.11 coming soon) and we currently use Safari for internal websites and firefox for external websites. So the users wanted to know why we couldn't use Safari for external websites, so I started looking into the issue.
It seems that anytime the OS tries to get to any external website, it doesn't send any authentication. This seems to be the case for Safari, iTunes, and App store. So I called our Apple rep and set up a meeting with an engineer. It lasted about an hour and pretty much to get anywhere we need to get the Tier 3 support plan (which I'm working on proposing to management). But in the meantime, I wanted to work with our proxy folks to see what the issue is. So I had a good meeting with them yesterday and we ran quite a bit of tests. It turns out the the OS is never sending authenticated messages. It keeps sending the requests as anonymous. Even though Safari/iTunes/App Store do prompt user for credentials on initial launch and they are stored in the keychain. It looks like that information is never getting sent to the proxy.
So are any of you guys seeing this same issue? Is there a fix? I don't mind talking with management about getting a tier 3 level agreement, but want to see if this is actually fixable before we shell out lots of money.
Posted on 07-28-2016 06:43 AM
I can't test this in my env so not sure I'd be much help. Firefox does work? Chrome too, I assume so as both of them use their own proxy settings. You can try curl command line if you wanted (-x flag). I wouldn't invest in a support plan solely for this issue- they'll likely come back with "yeah, it's busted". This issue is out on the Internet (http://apple.stackexchange.com/questions/118150/safari-7-cant-connect-to-intranet-using-http-authentication)
Posted on 07-28-2016 06:59 AM
If you wireshark the traffic you can see the communication between the client and the proxy....the client will send an HTTP GET request for the page to the proxy (assuming you have proxy settings for that network adapter), the proxy will likely respond with a request for authentication, and may try to negotiate a specific type of authentication that the Mac can't supply. There are different types of authentication, NTLM, Kerberos, etc...my suggestion is to find out what type of authentication the proxy server is configured for.
It may help to get a recommendation from the proxy vendor for authentication settings that will work with for Macs in your environment...if you can get Kerberos tickets on the Mac then Kerberos is probably your best bet.
Posted on 07-28-2016 08:50 AM
Can you not mirror the proxy settings from Firefox into the network pane in system preferences?
As long as you know the proxy address/port and what sort of authentication its using then that should do it?
We used to use a barracuda that wouldn't work unless we hardcoded the settings this way.
Posted on 07-28-2016 09:06 AM
So yeah did a lot of wireshark testing and what I saw was it getting denied quite a bit, but never was sending the authenticated credentials. Just kept sending the links anonymously. Had a good hour session with the proxy guy yesterday as well watching the traffic coming.
The firefox settings are exactly like system settings, so not from that angle.
UPDATE: So today I was working with our info sec team and he made a suggestion which seems to help out. In our bypass we have the typical .company.com in there. If we remove it - safari seems to work without issue. Which is very odd. But some internal sites can't be accessed since they look like they are coming externally. So I have specific link in the bypass right now as a bandaid - but it's odd that it didn't like the .company.com in there. Anyone else see something like this?