ProxySG & Advanced Secure Gateway

We have deployed transparent proxy with two IWA realms, one for SSL_Auth and the other for nonSSL Auth. We are doing SSL interception as well. Things are working fine with Internet explorer and Microsoft edge. However, with Firefox and Chrome, the IWA authentication is not happening. It simply says, login required and then nothing happens. I did all tweaks as found on google search:
1. Adding virtual URL to trusted site list,
2. Enabling IWA in windows internet option settings
3. For Firefox:
    -network.automatic-ntlm-auth.trusted-uris  -- > added virtual URL for SSL and nonSSL auth (http://infra-proxy-101,https://infra-proxy-101:4433)
    -network.negotiate.auth.delegation-uris -- > added virtual URL for SSL and nonSSL auth (http://infra-proxy-101,https://infra-proxy-101:4433)
    -network.negotiate-auth.trusted-uris -- > added virtual URL for SSL and nonSSL auth (http://infra-proxy-101,https://infra-proxy-101:4433)
    -network.automatic-ntlm-auth.allow-non-fqdn to TRUE

Nothing seems to work. Proxy OS version is 6.7.4.3.

We are in roll out phase and stuck because most of the users are using Chrome and Firefox. 

Urgent help would be helpful

Hello Abdul, 

This is a common issue when some small steps gets overlooked or if the third party browser has a bug.
Examples:

1. Certificate used in the proxy Reverse Service for Proxy Auth redirection was not installed in Firefox, btw Firefox dont share the same Certificate store as IE, so the Firefox dont trust the Proxy thus wont provide the Credentials. BTW, you should reset the Firefox to it's default settings , then make sure the certificate is the in the right place , then figure out what the error is first then proceed further making adjustments to firefox settings based on the error the firefox triggers etc
2. Chrome wont trust a web server that provides a certificate that does not contain the SAN attribute, meaning the Certificate used in the Reverse Service for Proxy Auth has to have all the fields required by Chrome Browser , else Chrome wont provide the credentials etc. Also mentioned here.

You may think this , why does this work with IE and Edge, well because the security requirement of IE and Edge are way lower than those of Chrome and Firefox.
Since you have not provided any errors and i am sure they are different for each browser , its hard to say, the above is based on common root causes.

I hope this helps.
Slava
Original Message:
Sent: 03-15-2021 05:26 AM
From: Abdul Razzaque
Subject: Transparent Authentication with Firefox and Chrome

We have deployed transparent proxy with two IWA realms, one for SSL_Auth and the other for nonSSL Auth. We are doing SSL interception as well. Things are working fine with Internet explorer and Microsoft edge. However, with Firefox and Chrome, the IWA authentication is not happening. It simply says, login required and then nothing happens. I did all tweaks as found on google search:
1. Adding virtual URL to trusted site list,
2. Enabling IWA in windows internet option settings
3. For Firefox:
    -network.automatic-ntlm-auth.trusted-uris  -- > added virtual URL for SSL and nonSSL auth (http://infra-proxy-101,https://infra-proxy-101:4433)
    -network.negotiate.auth.delegation-uris -- > added virtual URL for SSL and nonSSL auth (http://infra-proxy-101,https://infra-proxy-101:4433)
    -network.negotiate-auth.trusted-uris -- > added virtual URL for SSL and nonSSL auth (http://infra-proxy-101,https://infra-proxy-101:4433)
    -network.automatic-ntlm-auth.allow-non-fqdn to TRUE

Nothing seems to work. Proxy OS version is 6.7.4.3.

We are in roll out phase and stuck because most of the users are using Chrome and Firefox. 

Urgent help would be helpful