Proxy Authentication Required window keep popping up

Bernard_Huang
Contributor III

f6866fbff0e8491e8c2f906c94299ed1

Hi all,
Just wonder if any of you ever came accross this and possibly have a solution.
A few users in my company have complain that when they get onto the internet, they are greeted with a pop-up window asking for Proxy Authenication. This happens everytime, so obviously the user gets quite frustrating having to type in their password all the time.

I personal don't seem to have this issue. I believe my keychain has saved my password properly, and therefore doesn't ask me over and over and over again.

So, is there something wrong with the end-user's keychain? Or is it something else?
Anyone got a easy way to resolve these?

Most of the users are on OS X El Capitan 10.11.6, btw.

15 REPLIES 15

Cook
New Contributor II

Hey Mate,

I would flag this with your networks / core infra team as some of vlans may be sitting behind a proxy server or misconfigured.

We use proxies for lab environments for devices on a particular network range (could be a hint)

Just my thoughts unless there is manual proxy settings applied to your network config somewhere in the JSS or users with admin rights changing the settings themselves?

Good luck on this one!

Aaron
Contributor II

This is a very common issue, and one I've had to deal with for years.

I've found that it got worse with each version of OSX, but then suddenly in Sierra it's good again. Now that Apple has addressed the Sierra/AD lockout issues with 10.12.3 I've been deploying this to those affected the worst. Basically (I don't know if it was a bug or not) but the CFProxySupport API will not consult the keychain - my Apple dev bookmarks I've got for this are no longer valid, so I'm guessing it's deprecated now.

Depending on your proxy appliance, I've found that it can work better if you prefix the username with your domain, ie; "domainusername". When we had a Bluecoat proxy this wasn't required, but then we switched to a Cisco Ironport and we found that it was required, otherwise it'd fail and fall back to basic auth.

If you can't upgrade to Sierra because of SecOp reasons, you can look into deploying a solution with cntlm. I had this briefly before Sierra came along.

jconte
Contributor II

We had this issue when our BlueCoat proxy servers didn't have Kerberos enabled, once we enabled Kerberos the prompts went away. Additionally, there are Apple services that try to phone home that are not proxy friendly that will also challenge for credentials, we had to manually open them to allow unauthenticated access out.

beejybone
New Contributor II

We are currently experiencing this issue with a Bluecoat proxy server. Users are actually having their AD accounts get locked by failed login attempts to the proxy server. Does anyone have a list of the Apple services that phone home and need to be allowed through the proxy unauthenticated?

jconte
Contributor II

Apple recommends that you open your environment to their 17.0.0.0/8 block of IP addresses. Since our network team didn't like that answer we had to open everything manually. Your network team should be able to tell you where the machines are trying to get, if not, you can try tools like little snitch and charles proxy. Hope this helps.

j_s_
New Contributor II

This was an ongoing issue for us, even after opening 17/8. I developed a script which populates the required keychain entries for our proxy. In our case, we needed to define multiple ports -P (8080 or 80 - https/https) and protocols -r (htpx, htsx) to suppress the proxy prompts.

Here is a snippet of the code.. hope it helps.

#!/bin/sh
/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htsx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htpx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htsx" 
    -j "default" 
    -P "80" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htpx" 
    -j "default" 
    -P "80" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

Aaron
Contributor II

@j.s. Do you specify port 80 because you run your proxy on port 80 as well as 8080, or because it works around some weird issue?

ammonsc
Contributor II

@j.s. Could you provide the whole script? I am having the worst time with the Macs and NTLM proxy auth.

jracosta
New Contributor III

Ditto please provide your script.

MacAdminLala
New Contributor II

the -t dflt wasn't working for me. i had to change it to -t mrof (not -t from) which seems to be some old big endian/little endian code break but it worked with the change

MacAdminLala
New Contributor II

Thank's to J.S.' work above, this is working in our setup. The only chance is the -t mrof line noted in my comment

#!/bin/sh
userName="abc-12345"
domainUser="12345"
domainPassword=$(date +%a)

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.server.com ($domainUser)" 
    -s "proxyserver.server.com" 
    -r "http" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t mrof 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    -T "/Applications/Google Chrome.app" 
    -T "/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd" 
    -T "/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd" 
    /Users/"${userName}"/Library/Keychains/login.keychain-db

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.server.com ($domainUser)" 
    -s "proxyserver.server.com" 
    -r "htsx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t mrof 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    -T "/Applications/Google Chrome.app" 
    -T "/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd" 
    -T "/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd" 
    /Users/"${userName}"/Library/Keychains/login.keychain-db    

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.server.com ($domainUser)" 
    -s "proxyserver.server.com" 
    -r "htpx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t mrof 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    -T "/Applications/Google Chrome.app" 
    -T "/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd" 
    -T "/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd" 
    /Users/"${userName}"/Library/Keychains/login.keychain-db   



    exit

rqomsiya
Contributor III

Hi @MacAdminLala

Are you using the logged in users account to set these or a global service account. Not sure what you're referencing with in the variables below:

userName="abc-12345"
domainUser="12345"
domainPassword=$(date +%a)

Thanks,
R

MacAdminLala
New Contributor II

@rqomsiya abc-12345 is my example logged in AD user account. I should've named it more obviously here.

nwiseman
Contributor

May also be a good idea to look into something like Jamf Connect or Enterprise Connect. We just recently went through the whole BlueCoat deployment. We noticed the Kerberos issue that was pointed out previously, but what we noticed was that our users weren't logging out and in enough so kerberos would expire. The popups would start coming back until the kerberos was renewed. Having something like Jamf Connect and Enterprise Connect will make sure to keep the kerberos tickets current.

RickDalton
New Contributor III

Script was made to be use with Enterprise Connect's 'change password' hook but could be repurposed to add all proxies into the Keychain by IP.

#!/bin/bash

# Update Proxy Server Passwords

# AppleScript must be executed by the logged in user (i.e. console owner).

# Initialize global variables
UserName=""
UserPW=""

#UserName="$("$eccl" -p adUsernameKerberos | sed "s/adUsernameKerberos: //")"
UserName=$(/usr/bin/security find-generic-password -l "Enterprise Connect" | grep "acct" | awk -F "=" '{print $2}' | tr -d """)
if [ "$UserName" == "" ] ; then
    echo "Unable to retreive user name."
    exit 1
fi

if [ -e "/Users/$(whoami)/Library/Keychains/login.keychain-db" ]; then
    UserKeychain="/Users/$(whoami)/Library/Keychains/login.keychain-db"
else
    UserKeychain="/Users/$(whoami)/Library/Keychains/login.keychain"
fi

# Loop until user enters a valid password.
validPassword=no
while [[ "$validPassword" == no ]] ; do
    #Ask user to supply their password
    UserPW="$(osascript -e "set T to text returned of (display dialog "Enter your password:" with title "Web Proxy Server" buttons {"OK"} default button "OK" default answer "" with hidden answer with icon file (POSIX file "/path/to/company/logo/here" as text))")"
    passwordLength="$(echo -n "$UserPW" | wc -m)"

    # Make sure password is at least 8 characters.
    if [[ "$UserPW" != "" ]] && (( passwordLength > 7 )) ; then
        # Validate password is correct against local user account.
        passwordCheck=$(/usr/bin/dscl /Search -authonly "$(whoami)" "$UserPW")
        #mobileAccountCheck="$(dscl . read /Users/username OriginalNodeName 2>/dev/null)"
        #if [ "$passwordCheck" == "" ] || [ "$mobileAccountCheck" != "" ] ; then
        if [ "$passwordCheck" == "" ] ; then
            echo "Entered valid password for $(whoami)"
            validPassword=yes
        fi
    fi
done

updateProxyPassword () {
    ProxyProtocol="$1" # either "htpx" or "htsx" (use "htsx" for https)
    ProxyServer="$2"
    ProxyPort="$3"
    ProxyAccount="${UserName}"
    ProxyLabel="${ProxyServer} (${ProxyAccount})"
    AuthBrokerAgentPath="/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent"
    NetworkPrefGroup="group://NetworkPrefGroup"
    RemoteServicePath="/System/Library/PreferencePanes/Network.prefPane/Contents/XPCServices/com.apple.preference.network.remoteservice.xpc"
    SafariPath="/Applications/Safari.app"

    # Delete old keychain entry
    /usr/bin/security delete-internet-password -l "${ProxyLabel}" -r "${ProxyProtocol}" "$UserKeychain"

    # Add new keychain entry
    /usr/bin/security add-internet-password -l "${ProxyLabel}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -C "dflt" -j "default" -d "${ProxyServer}" -a "${ProxyAccount}" -w "$UserPW" -U -T "$AuthBrokerAgentPath" -T "$RemoteServicePath" -T "$NetworkPrefGroup" -T "/usr/bin/security" -T "$SafariPath" "$UserKeychain" 
    #/usr/bin/security add-internet-password -l "${ProxyLabel}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -C "dflt" -j "default" -d "${ProxyServer}" -a "${ProxyAccount}" -w "$UserPW" -U -A "$UserKeychain" 
    /usr/bin/security set-internet-password-partition-list -S "apple-tool:,apple:" -l "${ProxyLabel}" -a "${ProxyAccount}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -d "${ProxyServer}" -k "$UserPW" "$UserKeychain" 

    #Example adding third-parth (non-Apple) code signatures.  Substitute "00000000" for the applications Team ID.
    #/usr/bin/security set-internet-password-partition-list -S "apple-tool:,apple:,teamid:00000000" -l "${ProxyLabel}" -a "${ProxyAccount}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -d "${ProxyServer}" -k "$UserPW"

    echo "Changed password for proxy server: $ProxyServer"
}

addProxyPassword () {
    updateProxyPassword "htpx" "$1" "80" 
    updateProxyPassword "htsx" "$1" "80"
    #updateProxyPassword "http" "$1" "80"
    #updateProxyPassword "htps" "$1" "80"
}

deleteProxyPassword () {
    ProxyProtocol="$1" # either "htpx" or "htsx" (use "htsx" for https)
    ProxyServer="$2"
    ProxyAccount="${UserName}"
    ProxyLabel="${ProxyServer} (${ProxyAccount})"
    /usr/bin/security delete-internet-password -l "${ProxyLabel}" -r "${ProxyProtocol}" "$UserKeychain"
    echo "Deleted password for proxy server: $ProxyServer"
}

removeProxyPassword () {
    deleteProxyPassword "htpx" "$1" "80" 
    deleteProxyPassword "htsx" "$1" "80"
    deleteProxyPassword "http" "$1" "80"
    deleteProxyPassword "htps" "$1" "80"
}

# === BEGIN Update Keychain Password Settings ===

    # Pass "htsx" for https or "htpx" for http followed by the proxy server and port as arguments.
    # If an IP address is used, Safari will not try to use Kerberos for authentication.
    #deleteProxyPassword "htpx" "10.0.0.1" "3128" 
    #deleteProxyPassword "htsx" "10.0.0.1" "3128"
    #deleteProxyPassword "http" "10.0.0.1" "3128"
    #updateProxyPassword "htpx" "10.0.0.1" "3128" 
    #updateProxyPassword "htsx" "10.0.0.1" "3128"
    #updateProxyPassword "http" "10.0.0.1" "3128"
    #updateProxyPassword "htps" "10.0.0.1" "3128"

#List of proxy IPs below are up to date as of --/--/----

    for proxy in 
#Example proxy IPs below (list all with space between each one)
        10.0.0.1 10.0.0.2 
        10.0.0.3 10.0.0.4 
        10.0.0.5 10.0.0.6 ; do 
        addProxyPassword "$proxy"
    done

# === END Update Keychain Password Settings ===

# Clear any errors.
exit 0