Error : "Cannot use form authentication for CONNECT method …" when connecting to HTTPS sites

book

Article ID: 167083

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Users are seeing this error  when connecting to HTTPS sites using CONNECT and Origin-Style Redirection or form redirect modes in explicit proxy.

 "Cannot use form authentication for CONNECT method (explicit proxy of https URL)"

 

Cause

This error occurs when authentication is done via a form redirect mode, and a workstation send a 'Connect' request to the proxy.

A connect request is how a browser, that is explicitly configured to use a proxy, asks to open secure connection on a port that isn't 80.

For example, typing in https://www.verisign.com in a browser would generate a request that looks like this : 

CONNECT www.verisign.com:443

 

By standard, it is not possible to redirect a 'Connect' request as this is a tunneled connection. Since this traffic is not being decrypted the proxy cannot access whatever is inside that tunnel, to send a redirect and point the browser to the authentication form.

 

NOTE: This is not a product limitation. Browsers, by design, do not follow redirects when the HTTP method used was 'Connect' for security reasons.

 

Resolution

There are two possible solutions in order to resolve this issue:

 

  1. Bypass authentication on the CONNECT method by adding the following code to the local policy file:

<proxy>

http.method=CONNECT  authenticate(no)

 

  1.  Use "proxy" authentication mode, for example:

<proxy>

allow http.method=CONNECT authenticate.mode(proxy) authenticate(ldap)

allow authenticate(cert) authenticate.mode(origin-cookie-redirect)