Error : "Cannot use form authentication for CONNECT method …" when connecting to HTTPS sites


Article ID: 167083


Updated On:


ProxySG Software - SGOS


Users are seeing this error  when connecting to HTTPS sites using CONNECT and Origin-Style Redirection or form redirect modes in explicit proxy.

 "Cannot use form authentication for CONNECT method (explicit proxy of https URL)"



This error occurs when authentication is done via a form redirect mode, and a workstation send a 'Connect' request to the proxy.

A connect request is how a browser, that is explicitly configured to use a proxy, asks to open secure connection on a port that isn't 80.

For example, typing in in a browser would generate a request that looks like this : 



By standard, it is not possible to redirect a 'Connect' request as this is a tunneled connection. Since this traffic is not being decrypted the proxy cannot access whatever is inside that tunnel, to send a redirect and point the browser to the authentication form.


NOTE: This is not a product limitation. Browsers, by design, do not follow redirects when the HTTP method used was 'Connect' for security reasons.



There are two possible solutions in order to resolve this issue:


  1. Bypass authentication on the CONNECT method by adding the following code to the local policy file:


http.method=CONNECT  authenticate(no)


  1.  Use "proxy" authentication mode, for example:


allow http.method=CONNECT authenticate.mode(proxy) authenticate(ldap)

allow authenticate(cert) authenticate.mode(origin-cookie-redirect)