Jamf Nation Community

This is a very common issue, and one I've had to deal with for years.

I've found that it got worse with each version of OSX, but then suddenly in Sierra it's good again. Now that Apple has addressed the Sierra/AD lockout issues with 10.12.3 I've been deploying this to those affected the worst. Basically (I don't know if it was a bug or not) but the CFProxySupport API will not consult the keychain - my Apple dev bookmarks I've got for this are no longer valid, so I'm guessing it's deprecated now.

Depending on your proxy appliance, I've found that it can work better if you prefix the username with your domain, ie; "domainusername". When we had a Bluecoat proxy this wasn't required, but then we switched to a Cisco Ironport and we found that it was required, otherwise it'd fail and fall back to basic auth.

If you can't upgrade to Sierra because of SecOp reasons, you can look into deploying a solution with cntlm. I had this briefly before Sierra came along.

We had this issue when our BlueCoat proxy servers didn't have Kerberos enabled, once we enabled Kerberos the prompts went away. Additionally, there are Apple services that try to phone home that are not proxy friendly that will also challenge for credentials, we had to manually open them to allow unauthenticated access out.

We are currently experiencing this issue with a Bluecoat proxy server. Users are actually having their AD accounts get locked by failed login attempts to the proxy server. Does anyone have a list of the Apple services that phone home and need to be allowed through the proxy unauthenticated?

Apple recommends that you open your environment to their 17.0.0.0/8 block of IP addresses. Since our network team didn't like that answer we had to open everything manually. Your network team should be able to tell you where the machines are trying to get, if not, you can try tools like little snitch and charles proxy. Hope this helps.

This was an ongoing issue for us, even after opening 17/8. I developed a script which populates the required keychain entries for our proxy. In our case, we needed to define multiple ports -P (8080 or 80 - https/https) and protocols -r (htpx, htsx) to suppress the proxy prompts.

Here is a snippet of the code.. hope it helps.

#!/bin/sh
/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htsx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htpx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htsx" 
    -j "default" 
    -P "80" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.servername.com ($domainUser)" 
    -s "proxyserver.servername.com" 
    -r "htpx" 
    -j "default" 
    -P "80" 
    -w "${domainPassword}" 
    -t dflt 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    /Users/"${userName}"/Library/Keychains/login.keychain

@j.s. Do you specify port 80 because you run your proxy on port 80 as well as 8080, or because it works around some weird issue?

@j.s. Could you provide the whole script? I am having the worst time with the Macs and NTLM proxy auth.

Ditto please provide your script.

the -t dflt wasn't working for me. i had to change it to -t mrof (not -t from) which seems to be some old big endian/little endian code break but it worked with the change

Thank's to J.S.' work above, this is working in our setup. The only chance is the -t mrof line noted in my comment

#!/bin/sh
userName="abc-12345"
domainUser="12345"
domainPassword=$(date +%a)

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.server.com ($domainUser)" 
    -s "proxyserver.server.com" 
    -r "http" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t mrof 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    -T "/Applications/Google Chrome.app" 
    -T "/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd" 
    -T "/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd" 
    /Users/"${userName}"/Library/Keychains/login.keychain-db

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.server.com ($domainUser)" 
    -s "proxyserver.server.com" 
    -r "htsx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t mrof 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    -T "/Applications/Google Chrome.app" 
    -T "/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd" 
    -T "/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd" 
    /Users/"${userName}"/Library/Keychains/login.keychain-db    

/usr/bin/sudo -u "${userName}" -H /usr/bin/security add-internet-password 
    -a "${domainUser}" 
    -l "proxyserver.server.com ($domainUser)" 
    -s "proxyserver.server.com" 
    -r "htpx" 
    -j "default" 
    -P "8080" 
    -w "${domainPassword}" 
    -t mrof 
    -T "/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent" 
    -T "/Applications/Safari.app" 
    -T "/Applications/Google Chrome.app" 
    -T "/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd" 
    -T "/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd" 
    /Users/"${userName}"/Library/Keychains/login.keychain-db   



    exit

Hi @MacAdminLala

Are you using the logged in users account to set these or a global service account. Not sure what you're referencing with in the variables below:

userName="abc-12345"
domainUser="12345"
domainPassword=$(date +%a)

Thanks,
R

@rqomsiya abc-12345 is my example logged in AD user account. I should've named it more obviously here.

May also be a good idea to look into something like Jamf Connect or Enterprise Connect. We just recently went through the whole BlueCoat deployment. We noticed the Kerberos issue that was pointed out previously, but what we noticed was that our users weren't logging out and in enough so kerberos would expire. The popups would start coming back until the kerberos was renewed. Having something like Jamf Connect and Enterprise Connect will make sure to keep the kerberos tickets current.

Script was made to be use with Enterprise Connect's 'change password' hook but could be repurposed to add all proxies into the Keychain by IP.

#!/bin/bash

# Update Proxy Server Passwords

# AppleScript must be executed by the logged in user (i.e. console owner).

# Initialize global variables
UserName=""
UserPW=""

#UserName="$("$eccl" -p adUsernameKerberos | sed "s/adUsernameKerberos: //")"
UserName=$(/usr/bin/security find-generic-password -l "Enterprise Connect" | grep "acct" | awk -F "=" '{print $2}' | tr -d """)
if [ "$UserName" == "" ] ; then
    echo "Unable to retreive user name."
    exit 1
fi

if [ -e "/Users/$(whoami)/Library/Keychains/login.keychain-db" ]; then
    UserKeychain="/Users/$(whoami)/Library/Keychains/login.keychain-db"
else
    UserKeychain="/Users/$(whoami)/Library/Keychains/login.keychain"
fi

# Loop until user enters a valid password.
validPassword=no
while [[ "$validPassword" == no ]] ; do
    #Ask user to supply their password
    UserPW="$(osascript -e "set T to text returned of (display dialog "Enter your password:" with title "Web Proxy Server" buttons {"OK"} default button "OK" default answer "" with hidden answer with icon file (POSIX file "/path/to/company/logo/here" as text))")"
    passwordLength="$(echo -n "$UserPW" | wc -m)"

    # Make sure password is at least 8 characters.
    if [[ "$UserPW" != "" ]] && (( passwordLength > 7 )) ; then
        # Validate password is correct against local user account.
        passwordCheck=$(/usr/bin/dscl /Search -authonly "$(whoami)" "$UserPW")
        #mobileAccountCheck="$(dscl . read /Users/username OriginalNodeName 2>/dev/null)"
        #if [ "$passwordCheck" == "" ] || [ "$mobileAccountCheck" != "" ] ; then
        if [ "$passwordCheck" == "" ] ; then
            echo "Entered valid password for $(whoami)"
            validPassword=yes
        fi
    fi
done

updateProxyPassword () {
    ProxyProtocol="$1" # either "htpx" or "htsx" (use "htsx" for https)
    ProxyServer="$2"
    ProxyPort="$3"
    ProxyAccount="${UserName}"
    ProxyLabel="${ProxyServer} (${ProxyAccount})"
    AuthBrokerAgentPath="/System/Library/Frameworks/CFNetwork.framework/Versions/A/Support/AuthBrokerAgent"
    NetworkPrefGroup="group://NetworkPrefGroup"
    RemoteServicePath="/System/Library/PreferencePanes/Network.prefPane/Contents/XPCServices/com.apple.preference.network.remoteservice.xpc"
    SafariPath="/Applications/Safari.app"

    # Delete old keychain entry
    /usr/bin/security delete-internet-password -l "${ProxyLabel}" -r "${ProxyProtocol}" "$UserKeychain"

    # Add new keychain entry
    /usr/bin/security add-internet-password -l "${ProxyLabel}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -C "dflt" -j "default" -d "${ProxyServer}" -a "${ProxyAccount}" -w "$UserPW" -U -T "$AuthBrokerAgentPath" -T "$RemoteServicePath" -T "$NetworkPrefGroup" -T "/usr/bin/security" -T "$SafariPath" "$UserKeychain" 
    #/usr/bin/security add-internet-password -l "${ProxyLabel}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -C "dflt" -j "default" -d "${ProxyServer}" -a "${ProxyAccount}" -w "$UserPW" -U -A "$UserKeychain" 
    /usr/bin/security set-internet-password-partition-list -S "apple-tool:,apple:" -l "${ProxyLabel}" -a "${ProxyAccount}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -d "${ProxyServer}" -k "$UserPW" "$UserKeychain" 

    #Example adding third-parth (non-Apple) code signatures.  Substitute "00000000" for the applications Team ID.
    #/usr/bin/security set-internet-password-partition-list -S "apple-tool:,apple:,teamid:00000000" -l "${ProxyLabel}" -a "${ProxyAccount}" -s "${ProxyServer}" -P "${ProxyPort}" -r "${ProxyProtocol}" -d "${ProxyServer}" -k "$UserPW"

    echo "Changed password for proxy server: $ProxyServer"
}

addProxyPassword () {
    updateProxyPassword "htpx" "$1" "80" 
    updateProxyPassword "htsx" "$1" "80"
    #updateProxyPassword "http" "$1" "80"
    #updateProxyPassword "htps" "$1" "80"
}

deleteProxyPassword () {
    ProxyProtocol="$1" # either "htpx" or "htsx" (use "htsx" for https)
    ProxyServer="$2"
    ProxyAccount="${UserName}"
    ProxyLabel="${ProxyServer} (${ProxyAccount})"
    /usr/bin/security delete-internet-password -l "${ProxyLabel}" -r "${ProxyProtocol}" "$UserKeychain"
    echo "Deleted password for proxy server: $ProxyServer"
}

removeProxyPassword () {
    deleteProxyPassword "htpx" "$1" "80" 
    deleteProxyPassword "htsx" "$1" "80"
    deleteProxyPassword "http" "$1" "80"
    deleteProxyPassword "htps" "$1" "80"
}

# === BEGIN Update Keychain Password Settings ===

    # Pass "htsx" for https or "htpx" for http followed by the proxy server and port as arguments.
    # If an IP address is used, Safari will not try to use Kerberos for authentication.
    #deleteProxyPassword "htpx" "10.0.0.1" "3128" 
    #deleteProxyPassword "htsx" "10.0.0.1" "3128"
    #deleteProxyPassword "http" "10.0.0.1" "3128"
    #updateProxyPassword "htpx" "10.0.0.1" "3128" 
    #updateProxyPassword "htsx" "10.0.0.1" "3128"
    #updateProxyPassword "http" "10.0.0.1" "3128"
    #updateProxyPassword "htps" "10.0.0.1" "3128"

#List of proxy IPs below are up to date as of --/--/----

    for proxy in 
#Example proxy IPs below (list all with space between each one)
        10.0.0.1 10.0.0.2 
        10.0.0.3 10.0.0.4 
        10.0.0.5 10.0.0.6 ; do 
        addProxyPassword "$proxy"
    done

# === END Update Keychain Password Settings ===

# Clear any errors.
exit 0