When accessing Gmail via the ProxySG appliance, authentication issues occur with error "Gmail is having authentication problems. Some features may not work"

book

Article ID: 167396

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Google has introduced new or changed coding that causes the following error to occur if the transaction goes via the Blue Coat appliance when proxy authentication is enabled. The error message appears in red on the Gmail page:

 "Gmail is having authentication problems. Some features may not work"

To determine if the issue is related to this error, run a Policy trace and look for the following:

start transaction -------------------
  CPL Evaluation Trace: transaction ID=463844
  transaction type: qualifier-index=9 name=https-forward service=SG-SSL-Proxy-Service module=SSL-Proxy
           <Proxy>
    MATCH:         authenticate(test) authenticate.force(no) authenticate.mode(auto)

  connection: service.name=Explicit HTTP client.address=192.168.1.27 proxy.port=8080
  time: 2014-06-03 10:42:54 UTC
  POST https://clients6.google.com/plusi/v2/ozInternal/contactstorequery?key=AIzaSyBuUpn1wi2-0JpM3S-tq2csYx0z2_m_pqc&alt=json
Cookie: PREF=ID=6f86acfbffd8e6cd:U=e38a84a31d054224:FF=0:LD=en:CR=2:TM=1318931744:LM=1401783514:GM=1:S=wXU1Skdu6Chq7ZnJ
Cookie: NID=67=a55Y1q0VBbR97Qqu4-D8wZEcxRxvIaeYjBY7JmjAk1LUltaxKPtuv7roBmRKMvYoF16RZpYIWkI9N_ZbfAM_ssgcaI-sHyDsdrKB80TOCi2g7G_hCDTyLFZ0CqVqT9NRRbymS-40EyynZUNdf_KwRJq6NkkXcXzupLJh4lvqnkFWzUE6PB46JHJruI9ukZQdK5S4NudvQkDjDfTHvy6FbhhEUY4gTV6JIjTfHA8m-wxAs42MhGRiatlRjnT9
Cookie: MPRF=H4sIAAAAAAAAAKv4u2bp7ZdqXUwMk5gUzM0NTQwsTVKSzc3MjM1TjdKSTCzNDCxMDQ1SU41NLQwnMDMAABrmg5MwAAAA
Cookie: OGPC=5-1:4061130-2:

Cookie: SID=DQAAAL0AAABqjh0wvzKMrPxF9tLHZhuqHSOZm1vqTL_UD1C65n8sLFdzBcdnQI2BXP2SO27NsmpWtU9BwCkYZQwaW4XZmORRC359m5bI0hIKSTdhy6332jZiIRjDeatzY5PAAa8Sj-
Fn64h49KRK7KFpCwYkzx9JuwwzvcVUAZ2rJbSpy4mUUlLfCbR4DXShP8OkHfXkmlE1osZRdbTgoSJdG-gVxY9KFDEAWyhQ8SJgEehBpj1LJjvgU1Sxrq7dppYkkhZBQlBo

Cookie: HSID=A3YQ5pmBuTsIU5T_A
Cookie: SSID=ATfvkVVuM_3zIgphl
Cookie: APISID=E3Cf-pE6oozV2Uxn/A3a7DB-RxJjFjLhPS
Cookie: SAPISID=kCSWtUrKXsdIK8WK/A2Kn4hWd0aUCXGYjZ
  user: name="LAB\labtest" realm=Test
  authentication status='none' authorization status='none'
  server.response.code: 401
  client.response.code: 401
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65
 
  set response header 'Cache-Control'
    value='private, max-age=0, proxy-revalidate'
  Transaction timing: total-transaction-time 35 ms
    Checkpoint timings:
      new-connection: start 1 elapsed 0 ms
      client-in: start 1 elapsed 0 ms
      scan-request-completed: start 1 elapsed 0 ms
      server-out: start 1 elapsed 0 ms
      server-in: start 1 elapsed 0 ms
      client-out: start 34 elapsed 0 ms
      access-logging: start 35 elapsed 0 ms
      stop-transaction: start 35 elapsed 0 ms
      Total Policy evaluation time: 0 ms
    url_categorization not completed
    server connection: start 1
      DNS Lookup: start 1 elapsed 0 ms
    server connection: connected 1 first-byte 34 last_byte 35
    client connection: first-response-byte 35 last-response-byte 35
   
  Total time added: 0 ms
  Total latency to first byte: 1 ms
     Request latency: 0 ms
    OCS connect time: 0 ms
    Response latency (first byte): 1 ms
     Response latency (last byte): 0 ms
stop transaction --------------------

The 401 server/client error and POST https://clients6.google.com/

Resolution

To resolve the issue, do one of the following. Both solutions are valid and will work in any environment, but you can opt to use either the VPM or CPL approach.

In the VPM:
Edit the main Web Authentication Layer and add a rule within the Destination for Request URL "clients6.google.com". For the Action, add "Do Not Authenticate".

Note: This rule will bypass authentication for the Request URL to "clients6.google.com" and may in some cases fail to match any group-based allow rules and hence be blocked. For this reason, in addition to bypassing authentication, you may need to add a specific allow rule for this URL.

In the CPL:
Because the problem is happening with the POST, the following CPL could also be used to narrow down the authentication bypass process:

<proxy>
 url.domain="clients6.google.com" http.method=POST authenticate(no)