ERR_UNEXPECTED when connecting to web site with windows integrated auth through authenticated proxy over HTTP
Reported by
pulec2...@gmail.com,
Jul 30
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Example URL: any HTTP URL that fulfills the conditions i.e. being behind authenticated proxy and requiring windows integrated auth (kerberos or ntlm) Steps to reproduce the problem: Open web site under these conditions: 1. access via http (issue doesn't appear over https) 2. access through proxy with authentication (ntlm or kerberos) 3. target site requires windows authentication (ntlm or kerberos) 3. What is the expected behavior? I expect chrome to connect and authenticate as it does via http or when proxy doesn't require authentication. What went wrong? cannot connect to these sites. it blocks chrome deployment (IE11 replacement) in enterprise. chrome refuses to connect and displayes error message to user : This site can’t be reached The webpage at http://... might be temporarily down or it may have moved permanently to a new web address. ERR_UNEXPECTED Did this work before? N/A Chrome version: 68.0.3440.75 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 30.0 r0
,
Jul 31
Hello, I cannot share URL for repro as you can repro it only inside enterprise network where I have windows integrated authentication (NTLM or Kerberos) available. The scenario when it doesn't work looks like this : Chrome client <--- HTTP to PROXY --> PROXY server asking Kerberos or NTLM auth <-- HTTP to target server--> TARGET server asking NTLM or Kerberos authentication Browser authenticates actually twice : first towards proxy and after that towards target server. In both cases it uses windows integrated auth (NTLM or kerberos). If you use HTTPS and not HTTP it works as expected. Also if proxy doesn't ask for authentication, then it works even with HTTP. I at least took network and HAR captures for both cases i.e. when it fails (HTTP) and when it works (HTTPS). In case it doesn't work (in case of HTTP i.e. no TLS), this is what you see in network capture: - Frame 6 - request to proxy - Frame 7 - 407 response from proxy requiring proxy authentication - Frame 19 - request to proxy with kerberos authentication to proxy - Frame 25 - 401 response from target server requiring NTLM authentication (it's NTLM in this case but you get the same behaviour for Kerberos) Now the browser doesn't continue with authentication (as expected) but terminates the process and displays error message for user. you can see the same repeated once more in frames 184, 185, 197, 205. the payload on background is supporting payload downloaded by Chrome devtools. I also attach HAR file for the same failed attempt. I also attach screenshot of error message that user gets in this case. In case it works (TLS in place i.e. HTTPS) you see: - Frame 6 - request to proxy - Frame 7 - 407 response from proxy requiring proxy authentication - Frame 19 - request to proxy with kerberos authentication then the TLS session is setup inside which NTLM authentication happens and browser successfuly downloads and delivers content. you of course don't see authentication as it's in encrypted TLS session but I at least attach HAR file.
,
Jul 31
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 1
As per comment#2 the issue seems to be related to Enterprise hence adding the component and requesting someone from Inhouse team to have a look into this and help in further triaging it. Adding label TE-NeedsTriageFromHYD. Thanks!
,
Aug 1
just to make it absolutely clear. issue is related to enterprise environment with respect to having windows integrated authentication (NTLM, Kerberos) and proxy in place. yet we use Chrome Enterprise build (MSI distribution), this issue can be reproduced with normal Chrome distribution as well. I also tested canary build (from July 30th) and also reproduced the issue with this latest build
,
Aug 1
,
Aug 3
zentaro@, can you triage if this is related to NTLM?
,
Aug 6
after few more tests it looks that it's related to Kerberos authentication towards proxy i.e. the issue occurs when kerberos is used for proxy authentication. hereare test results: proxy auth kerberos + server auth kerberos : fails proxy auth kerberos + server auth NTLM: fails proxy auth NTLM + server auth kerberos : OK proxy auth NTLM + server auth NTLM: OK proxy with auth (anonymous) + server auth kerberos : OK proxy with auth (anonymous) + server auth NTLM: OK
,
Aug 6
Thanks for the input so far. I believe we have enough information to make progress here. I'll assign to myself since this is likely a known issue with our HTTP authentication state machine. See also issue 51404 . |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by vamshi.kommuri@chromium.org
, Jul 31Labels: Needs-Triage-M68 Needs-Feedback Triaged-ET