How to store proxy credentials on macOS so they are used by system services?

macos keychain network proxy

Solution 1:

This is most likely expected behavior if your system/network administrator has configured the proxy force authentication that requires more than just a basic authentication scheme.

From Microsoft's page Handling Authentication under About HTTP Authentication section:

There are two general types of authentication schemes:

  • Basic authentication scheme, where the user name and password are sent in cleartext to the server.
  • Challenge-response schemes, which allow for a challenge-response format.

Challenge-response schemes enable more secure authentication. If a request requires authentication using a challenge-response scheme, the appropriate status code and Authenticate headers are returned to the client. The client must then to resend the request with a negotiate. The server would return an appropriate status code with a challenge, and the client would then require to resend the request with the proper response to get the requested service.

If the proxy you are using utilizes the basic authentication scheme, what's saved in your keychain will suffice to authenticate you. If a challenge response scheme is being used, you will most likely have to provide more info - in this case - re-enter your password - to authenticate; and this is what you are seeing.

NTLM Authentication Process

This is much more than just storing credentials. The client must generate a response based upon a generated request from the server. Following is a very abridged description of the authentication process from the client/server perspective per Microsoft's documentation

  • The client sends the user name to the server (in plaintext).

  • The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.

  • The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.

  • The server sends the following three items to the domain controller:

    • User name
    • Challenge sent to the client
    • Response received from the client

  • The DC validates the encrypted challenge and response. If authenticated, access is granted.

The third step above, requires the client to hash a random number it got from the server. This inherently means there's nothing to be stored on your macOS client.

At a very minimum, you need to be joined the Active Directory domain. This means you need Kerberos support enabled and configured properly for your specific organization.

There's a key phrase in the "Handling Authentication" document I linked above:

If authentication is required, the INTERNET_FLAG_KEEP_CONNECTION flag should be used in the call to HttpOpenRequest. The INTERNET_FLAG_KEEP_CONNECTION flag is required for NTLM and other types of authentication in order to maintain the connection while completing the authentication process. If the connection is not maintained, the authentication process must be restarted with the proxy or server.

(Emphasis mine)

Based on your the symptoms being presented it appears that your organization requires authentication to the proxy; your username/password are valid, but it keeps (re)asking for authentication. It's probably because you are losing the connection state and having to do this all over again. Which further emphasizes the point....

To solve this issue, you will need to contact your network admin to assist you with the authentication issues.

Solution 2:

Note: check radio button to allow all application to use proxy

by authention of key chain app modify setting

Related

Using WhatsApp iOS app without granting it access to contacts
How can I highlight text on a screenshot using Markup in macOS?
Port forwarding on iPhone?
Disappearing Alerts - Notification Center not working as per Preference Settings
Can the iCloud sync progress be observed?
iOS7 won't trust linux computer
I was physically robbed and now can't manage my Apple ID... how can I extract my purchases?
Error message com.apple.Safari.History was closed unexpectedly
How to reset Launchpad order in macOS High Sierra?
VS Code - Code Helper process using more than 100% CPU on macOS
Growl Notifications for Stack Exchange websites?
refresh Preview from command line