cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1752
Views
0
Helpful
0
Replies
Highlighted
Beginner

Firefox/Chrome Authentication Prompts

Hi, 

 

I am facing an issue where Firefox/Chrome prompts for authentication on domain joined Windows 7 machines but IE does not. The setup uses Explicit Proxy and is configured like this:

 

 

WSA01: M1 intf for management, P1 for data, AsyncOS 10.5.1
  System Hostname: wsa01.example.com
  P1 Name: wsa01-data.example.com (10.10.10.21)

WSA02: M1 intf for management, P1 for data, AsyncOS 10.5.1
  System Hostname: wsa02.example.com
  P1 Name: wsa02-data.example.com (10.10.10.22)

Failover Groups (on both wsa01 and wsa02):
FG1: wsa-vip1.example.com (10.10.10.11) - Active on wsa01
FG2: wsa-vip2.example.com (10.10.10.12) - Active on wsa02
DNS Server: Round-Robin DNS based proxy server load-balancing
proxy.example.com
A-record: 10.10.10.11
A-record: 10.10.10.12

MGMT interfaces are not given above, but they exist and configured on a different subnet. End user machines are configured with "proxy.example.com: 3128" via group policy. WSA policy authenticates all corporate machine users via AD - Identification Profile specifies (Kerberos OR NTLM OR Basic) auth schemes; explicit mode surrogates not used [unchecked].

 

With this setup IE works without any issues. However, Chrome and Firefox (latest versions) both brings a pop up asking for user credentials the first time. After that it seem to work fine until browser is closed and re-opened. Whitelisting proxy url in firefox trusted lists does not seem to help. Modifying advanced ntlm, proxy params in firefox "about:config" does not seem to help either. 

 

 

The User Guide here https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa_10-0/WSA_10-5-1_UserGuide.pdf states this, "In explicit mode, the WSA host name (CLI command sethostname) and the proxy name configured in the browser must be the same." I cannot sysname both wsa proxies to "proxy.example.com" as these nodes are AD joined and we can't have two AD joins with the same machine name.

 

Interestingly, when these browsers are configured with "wsa01-data.example.com" or "wsa02-data.example.com", the pop up does not appear. It seems there is a trust issue where the browser is not trusting our "explicit" proxy when the configured proxy url does not contain the wsa's system name in it. Is this not limited to transparent deployments only as stated here https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117934-technote-csc-00.html ?

 

If sysname match in proxy url is still a requirement, how can we design the solution with failover groups?

 

Regards, 

Rick.