Authentication prompts for web servers in an explicit proxy deployment
search cancel

Authentication prompts for web servers in an explicit proxy deployment

book

Article ID: 262431

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Users receive authentication prompts stating the web server requires authentication.

Environment

Release : 7.3+

Deployment: Explicit Proxy

Authentication Mode: Proxy / Proxy-IP

Cause

Background

SGOS 7.3 supports the HTTP/2 protocol.

Web Browsers will keep the HTTP/2 connection open and re-use it for future requests. The inactivity timeout in which the browser reuses these connections has been observed at 5-6 minutes for modern browsers.

The authentication is performed with a proxy style authentication challenge 407 (Proxy-Authenticate) on the initial HTTP CONNECT request.

If the user's credential is removed from the proxy and the browser sends a request (GET/POST) on the existing connection, the proxy will respond with a 401 (WWW-Authenticate) challenge. The browser generates a prompt in the user's browser since it does not automatically trust sending the user credentials to web servers for security.

This is the expected behavior as the proxy can only issue 407 (Proxy-Authenticate) against the initial proxy CONNECT requests.

 

Root Cause

The credential inactivity timeout specified in the realm is less than the browser's HTTP/2 inactivity timeout.

The credential can be removed from the proxy while an existing HTTP/2 connection may still be re-used by the browser.

Resolution

Increase the realm inactivity timeout to be longer than the browser's HTTP/2 timeout. The default is 900 seconds.

  1. Navigate to Configuration > Authentication > Realms and Domains
  2. Edit the realm
  3. Under the Advanced Settings, set the Inactivity Timeout.
  4. Apply the settings.