Proxy Authentication - Use device account's credential

Copper Contributor

Our Surface Hub needs to use a proxy that requires authentication. We are trying to setup the Surface Hub proxy settings with "Use the device account's credentials" for the proxy authentication. The device account's credentials exists in our Active Directory and has access to the internet. The Surface hub is joined into our Active Directory domain. Everything works perfectly on the Hub except trying to browse the web using Edge. Everytime we open Edge and try to access a site, we get a prompt asking for credentials. Looking at a network trace, we see that the Surface Hub is passing invalid credentials to our proxy. It's trying to pass a local account instead of using the "device account".

 

Anyone can help?

9 Replies
Hi Patrick.

I’d highly recommend you raise a support case for Microsoft to look into this. Make sure you gather logs from the Surface Hub (Settings > Update & Security > Recovery > Collect Logs) to pass to Microsoft.

https://support.microsoft.com/en-gb/help/4037644/surface-contact-surface-warranty-and-software-suppo...

I do have a support case opened unfortunatly, the end result so far is to open the SurfaceHub to the internet by doing MAC address filtering and letting the device go through without any authentication. I'm starting to consider this with our network/security team since we cannot make the Surface Hub properly pass it's device account to our proxy (Blue Coat).

The Surface Hub is not really domain joined as a desktop client. It only allows domain users to authenticate against the AD to access the settings.

During proxy authentication it will provide local account, not domain account credentials.

To solve this, you must configure the proxy to authenticate the device using the local creds.

Hey Patrick,

just in case you didn't solved it: you need to set 'AllowAutoProxyAuth' via MDM policy to make it work in Edge. see https://docs.microsoft.com/en-gb/surface-hub/manage-settings-with-mdm-for-surface-hub.

In addition to that, we are still waiting for an update scheduled for May 2018 to allow all apps on Surface Hub to work with proxy authentication.

Hi, 

 

Tried to set this up using our AirWatch MDM but I didn't see anything I could configure anything for SurfaceHub devices. Not sure we have the proper licensing. I'll need to dig further into our options. Anyway, we are not planning to purchase Hubs before Mai so when the patch comes out, I assume it will fix it all.

You'll have to use a custom policy, likely delivered as XML:

<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SurfaceHub/Properties/AllowAutoProxyAuth</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>

Hi Sigrud,

 

I can see the proxy authentication option in the Surface Hub Settings is set to 'use the device account's credential' and I've also set the MDM policy you mentioned but I can see on our web proxy logs the device connection is still anonymous.

 

Our device is fully up to date in terms of Security updates and Servicing Stack Update.

 

Am I missing something?

 

Thanks,

Ed

Hi @Eduardo Menezes,

 

Do you get prompted for the credentials? What happens when you provide them?

Is your proxy configured to use the ADFS or another solution as the authority instead of the AD?

 

Thanks,

Cezar

Hey Ed,

The setting is covering only the browser (is working in Edge for us), for the apps this is a bug in Windows 10 Team Edition used on the Surface Hub. The authentication request is send from the proxy, but isn't handled on the Hub at all. I have a case with Microsoft on that since months, MS claims to have a fix, but isn't publishing the fix. They just send me an info for every Update Tuesday that the fix will no be part of the update.

This will kill a 20+ Surface Hub project in our company end of February.

btw. the Windows 10 Team Edition Insider Build has the issue fixed (but no release date here too), so if you have a device for tests register it in the Insider Program for Business and you can update it via WU

 

Regards,

sigurd