Proxy in System and User Context

Nasir 1 Reputation point
2021-08-16T20:02:40.637+00:00

Was wondering if there is a mechanism to leverage proxy in both context. i.e User Context (browser) and from System Context. (using netsh winhttp set proxy)

while all url's can works fine in the User's context - ie. proxy defined in the browser) there are few URl's pertaining to Azure AD which needs to get connected in the system context prior to user login - else the authentication does not pass thru and user cannot login to the device

any assistance or clues ??

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,080 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,651 Reputation points
    2021-08-17T09:53:33.71+00:00

    Hello @Nasir ,

    Thanks for reaching out.

    Are you referring to Hybrid Azure AD join? if so then devices to have access to the following Microsoft resources from inside your organization's network:

    https://enterpriseregistration.windows.net
    https://login.microsoftonline.com
    https://device.login.microsoftonline.com
    https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

    If your organization requires access to the internet via an outbound proxy, you can use implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see Troubleshooting Automatic Detection. In Windows 10 devices prior to 1709 update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join.

    If you don't use WPAD, you can configure WinHTTP proxy settings on your computer beginning with Windows 10 1709. For more information, see WinHTTP Proxy Settings deployed by GPO or manually by running following cmdlet which import Proxy setting from user context to System netsh winhttp import proxy source=ie

    Note:
    If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

    If your organization requires access to the internet via an authenticated outbound proxy, make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.

    Verify the device can access the above Microsoft resources under the system account by using the Test Device Registration Connectivity script.

    Look at proxy section from this prerequisites for more information.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Nasir 1 Reputation point
    2021-09-03T10:27:40.303+00:00

    Hi Sikumar,

    Thanks for your Revert and Sincere Apologies for the delay in my response.

    Endpoints are part of Azure AD. As long as they are working from Home - they do not have any issues. When they connect to Office Intranet and change their password using SSPR , Upon Locking the endpoint by Pressing Ctrl+Alt+Del Or in case of log-off and re-login attempt - the users are unable to login on the Endpoints since they do not get authenticated to Azure AD with their newly changed password. (Since their new password is not cached). The users have to login on the endpoint using their previously cached password.

    Upon troubleshooting - we observed that the above URL's (that you've mentioned) are needs to be reachable in the system context.

    While the Netssh command works fine and the users are able to login to the endoint using the newly changed password. They do have issues in connecting to other internet based resources due to the set proxy in the system context.
    Also, We do not have WPAD in our environment.

    One more thing I wanted to highlight is that we cannot even open the URL's directly on the Internet Facing Firewall - since the URL based Port opening is not an option in this environment.

    Any other clues or suggestions will be highly appreciated.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.