Failure to authenticate a tunneled SSL request
Article ID: 165760
Updated On:
Products
Issue/Introduction
In troubleshooting authentication issues, you may find the following error in a policy trace:
EXCEPTION(configuration_error): Authentication failed because of a configuration problem
Last Error: Failure to authenticate a tunneled SSL request. This is typically caused when authentication policy is applied to tunneled SSL connections.
Please contact your network administrator to either exempt tunneled SSL traffic from authentication or to create suitable SSL interception policy for first intercepting SSL connections as HTTPS and then authenticating them.
Cause
This exception page is issued in cases where proxy is unable to issue an authentication challenge within an encrypted session, because the proxy is not decrypting that session.
Resolution
Because authentication challenges cannot be injected into an encrypted exchange, authentication must be bypassed for the URL. There are several methods to achieve this:
- Use a Regular expression in policy to match the do not authenticate rule. NOTE: Regex rules may use more resources to process
- Via CPL:
<Proxy>
url.regex="ssl://" authenticate(no)
- Use the VPM to define a rule based on the ssl:// prefix on the Web Authentication layer:
Under Destination right-click > Set > New > Request URL > Select Regular Expression Match > add ssl:// > OK > click Install Policy
- Create a rule to only authenticate requests where the scheme is HTTP or HTTPS, this will prevent tunneled traffic from matching
- Find your rule which is currently configured to trigger authentication
- Right-click destination -> Set -> New -> Combined Destination Object
- Click New ->Request URL Object
- Give the Object a name
- Then Click Advanced Match and change Scheme to HTTP and Click Add (Then do the same for HTTPS)
F. Once both objects are created, select each object and click Add to add the objects to the top right box
Feedback
