ProxySG & Advanced Secure Gateway

  • Private Community
 View Only

  • 1.  Browser requests for http://proxy/favicon.ico result in auth loops

    Posted Jun 28, 2018 12:16 PM

    Here's another fun one. Occasionally during an HTTP authentication, a client browser will initiate a new HTTP request for the proxy's favicon.ico file. The proxy will reply with an authentication redirect and after a negotiation resulting in the client providing its kerberos ticket, the proxy will redirect back to the favicon.ico file. The client requests it again, and the process starts over. This results in dozens of loops per client.

    Nearly all browsers here are IE11, so that's the only user-agent I've seen. In a given 5-minute packet capture I'll see two or three clients exhibit this behavior.

    I've only ever seen this with HTTP sessions, not HTTPS, but I suspect that's only because of the difficulty of decrypting the sessions in Wireshark. I did experiment with a workstation on which I limited the cipher suites to only one that I can decrypt. I wasn't able to replicate the behavior though.

    Combined with this, the proxy makes dozens of DNS queries to resolve its own IWA auth virtual URL. For example, in our case the http auth virtual URL is "http://proxysg". When a client requests "http://proxysg/favicon.ico", the proxy tries to resolve that name. Since our DNS doesn't have an entry for the host without a domain suffix, the query fails and the server responds with a server failure reply code.

    And while looking specifically at DNS traffic from the proxy, it's also making frequent queries for the names "ssl" and "https". I haven't found a cause for this behavior yet though.



  • 2.  RE: Browser requests for http://proxy/favicon.ico result in auth loops

    Posted Jun 29, 2018 02:43 PM

    I added the following CPL to my local policy file to track these requests:

     

    <Proxy>
    url.domain=proxysg url.regex=favicon.ico action.logfavicon(yes)

    define action logfavicon
       log_message("$(client.address) requested $(url) with agent $(request.header.User-Agent)")
    end action logfavicon

    (Replace the URL domain above with whatever your authentication virtual URL is.)

    It appears to affect both HTTP and HTTPS, Windows 7 and Windows 10, Firefox, Chrome, and IE.



  • 3.  RE: Browser requests for http://proxy/favicon.ico result in auth loops

    Posted Jul 01, 2018 11:40 PM

    Hi Dan,

     

               What if we try to bypass auth for this url? This will avoid further loop. The attempt to fetch the favicon.ico seems to be modern brower's default behavior.

     

    <Proxy>
    url.domain=proxysg url.path.exact=/favicon.ico authenticate(no)



  • 4.  RE: Browser requests for http://proxy/favicon.ico result in auth loops

    Posted Jul 11, 2018 01:43 PM

    Better yet, this:
     

    <Proxy>
url.domain=proxysg url.regex=favicon.ico force_exception(user_defined.silent_deny)

     

    Combined with this:

     

        (exception.silent_deny
      (contact)
      (details " ")
      (format " ")
      (help " ")
      (summary " ")
      (http
        (code "200")
        (contact)
        (details)
        (format)
        (help)
        (summary)
      )
    )
  )

     



  • 5.  RE: Browser requests for http://proxy/favicon.ico result in auth loops

    Posted Jul 12, 2018 12:03 AM

    Thats perfect :)