Secure One Services Group

Expand all | Collapse all

ProxySG | Chrome issues with authentication

Jump to Best Answer
  • 1.  ProxySG | Chrome issues with authentication

    Posted 08-23-2018 04:19 AM

    Dear All,

      When access to internet correctly with IE normal to pop-ups authentication, but if we access with Google Chrome the pop-ups aren't showed.

    Customer use Chrome lates version. please help to recommend for workaround or how to fix this issues of Chrome Browser.

     

    and i would like to fix problem about authentication too when i check we found anonymous logon so much.

     

    Best Regards,

    Chakuttha R.

     



  • 2.  RE: ProxySG | Chrome issues with authentication

    Broadcom Employee
    Posted 08-23-2018 07:06 AM

    Hi Chakuttha,

     

                When accessing via chrome, what does the trace show the user as ? Is it correct logged in user ? With chrome are they able to access internet or does it gives back any error ?



  • 3.  RE: ProxySG | Chrome issues with authentication

    Posted 08-23-2018 11:17 AM

    because chrome don't show  pop-ups to login. when client access to internet it will be policy denied because don't have authorize to access internet.



  • 4.  RE: ProxySG | Chrome issues with authentication

    Posted 08-23-2018 11:20 AM

    please recommend how to check this issues or have any workaround for this case.



  • 5.  RE: ProxySG | Chrome issues with authentication

    Posted 08-23-2018 10:50 PM

    Can i send sysinfo to you for help to check?



  • 6.  RE: ProxySG | Chrome issues with authentication

    Broadcom Employee
    Posted 08-23-2018 10:52 PM

    Hi Chakuttha,

     

               It is not easy to say why you are not getting a pop-up. My assumption with minimal information is that the machine not in domain and the chrome is passing a local login or anonymous service accounts to proxy. If this account passes authentication at the AD side, proxy will consider it as valid login. Since there is no access rule defined for this user, you end up getting Policy denied. Can you get me a pcap when this is tested ? If you can get separate PCAPs for IE and Chrome, it will be better.



  • 7.  RE: ProxySG | Chrome issues with authentication

    Posted 09-08-2018 12:36 PM
      |   view attached

    Dear Aravind,

       For this case my team by Pakorn he was found something wrong for make issues occurred only Chrome Browser not Pop-up Authentication

     

    following picture as below or you can see from attach file

     

    if virtual url for authen use https error occurred as same as below

    if virtual url for authen use http not have pop-up to authen

     

     

    Please recommend for fix Certificate error Subject Alternative name missing

     

     



  • 8.  RE: ProxySG | Chrome issues with authentication
    Best Answer

    Broadcom Employee
    Posted 09-09-2018 12:25 PM

    Hi Chakuttha,

                      The error screenshot shows 2 issues. One is Common Name Invalid which is since the url was accessed with its IP address 192.168.6.112 instead of proxy1.port.co.th. This can be fixed by using the FQDN instead of IP address.

     

                       The second error of Subject Alternative Name missing is a bit problematic one. Due to security issues, chrome now expects the common name to be added in the certificate as SAN (aka Subject Alt Name). This will need the certificate to be re-signed with SAN extension. You can read more about this at https://support.google.com/chrome/a/answer/7391219?hl=en . When resigning the certificate, the name proxy1.port.co.th should also be added in as a SAN name.
     



  • 9.  RE: ProxySG | Chrome issues with authentication

    Posted 09-10-2018 06:47 AM

    Dear Aravind,

      For create CSR from Proxy not support SAN ?

     



  • 10.  RE: ProxySG | Chrome issues with authentication

    Broadcom Employee
    Posted 09-10-2018 06:58 AM

    Hi Chakuttha,

     

                    SAN is added to the certifcate as an extension. There is no need to be present in the CSR. Enabling the CA to sign using this extra extension will solve the issue.