IE and Edge ignore PAC (proxy auto config) file

IE and Edge are ignoring PAC script file. The file is on a webserver using HTTPS. If changing the URL to HTTP it works fine. Is there any known issue with Windows? I started seeing this behavior with Windows 10 Build 1903 but I'm not sure if it wasn't present on previous builds.

Again, using https://someserver/script.pac does NOT work. Using http://someserver/script.pac works.

Note: This could potentially be an issue with WinHTTP, as other browsers work perfectly, like Firefox or Chrome. I'm not sure but I think they use WinINet.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi Eduardo

My name is Andre Da Costa; an Independent Consultant, Windows Insider MVP and Windows & Devices for IT MVP. I'm here to help you with your problem.

Because Windows 10 1903 is very new, this is an issue the engineers are not aware that might need to be fixed.

I would recommend you file a bug report; send me the short link so I can vote on it and bring it to the attention of the Windows engineers.

https://windows10.help/blogs/entry/54-how-to-su...

You can also try changing the user agent string in Edge and IE to see if it works:

https://www.groovypost.com/howto/change-user-ag...

Information in the above link is sourced from a trusted Microsoft MVP blog.
Best regards,
Andre Da Costa
Independent Advisor for Directly

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hello Andre,

I've filed a bug report as recommended, here's the report url: https://aka.ms/AA5ctqg

I haven't tried to change the user agent string as you suggested, but I'll give it a shot once I have the opportunity and I'll let you know.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Looking forward to your update Eduardo.
Best regards,
Andre Da Costa
Independent Advisor for Directly

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Andre,

Changing user agent string does not change behavior. We're still seeing the same issue. The only way to circumvent this, as far as I've seen, is using HTTP instead of HTTPS for the PAC script url.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

This is what we're seeing:

(...)

AutoConfigUrl : https://obfuscated.example/proxy.pac

(Mon Jun 10 02:24:29 PM)

<-WinHttpGetProxyForUrl failed

(12167) (0x2F87) The proxy auto-configuration script could not be downloaded

(Mon Jun 10 02:24:29 PM)
Out of proc only failed. Trying in proc.
AutoDetectFlags : 0

Flags : 1D0002

WINHTTP_AUTOPROXY_CONFIG_URL

WINHTTP_AUTOPROXY_NO_DIRECTACCESS 

WINHTTP_AUTOPROXY_NO_CACHE_CLIENT 

WINHTTP_AUTOPROXY_NO_CACHE_SVC 

WINHTTP_AUTOPROXY_RUN_INPROCESS

AutoLogonIfChallenged : 1


AutoConfigUrl : https://obfuscated.example/proxy.pac


(Mon Jun 10 02:24:29 PM)

<-WinHttpGetProxyForUrl failed

(12167) (0x2F87) The proxy auto-configuration script could not be downloaded


(Mon Jun 10 02:24:29 PM)

Falling back to DIRECT/NO_PROXY

Setting WINHTTP_ACCESS_TYPE_NAMED_PROXY flag in WINHTTP_AUTOPROXY_OPTIONS dwAccessType

Named proxy configured: (null)

->Calling WinHttpSetOption with proxy configuration set to:

Proxy : (null)

ProxyBypass : (null)

AccessType : 1

WINHTTP_ACCESS_TYPE_NO_PROXY

<-WinHttpSetOption WINHTTP_OPTION_PROXY suceeded

(...)

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I confirm that the problem affects only Windows 10 version  1903 (OS Build 18362.175)

This is a real problem, it is consistent, impacts a clean Windows 10 installation. I have a VM demonstrating the problem. I have an event log from WinHTTP full things like

        Downloading the configuration file from the configuration URL failed: ConfigurationURL=https://OBFUSCATED/pac_gen/proxy.pac, Error=2148282247

0x213fa8d4ec0: SSL Cert Validation Failure - Unable to Get Cert Chain (Error: CERT_E_CN_NO_MATCH) Context Handle(0x1FC938689C0:0x213F9843940) (IgnoredServerCertErrors 0x0) (CertErrors 0x20001000)

A self signed CA certificate explicitly added to the "Trusted Root Certification Authorities" resolves the issue. 

Build 1903 also enforces Content-Type application/x-ns-proxy-autoconfig  and rejects anything else. IE/Edge are the only browser doing this.

Obviously, WinHTTP refuses to follow redirection from HTTPS to HTTP

The problem affects COMODO, Amazon, Digisert certificates.

1903 effectively disables Proxy settings in the system. I would say that the issue is critical.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Anybody?

Isn't it a critical problem/show stopper?

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

We've been told via a Microsoft suppirt ticket that disabling HTTPS PAC downloads in 1903 is by design. Our security dudes are getting twitchy at tge prospect of HTTP PAC files though, so it seems like an odd design choice.  

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Self signed certificates are working. How comes?

Can you send the number of the support ticket or copy the whole response here?

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Self signed certificates are working. How comes?

Can you send the number of the support ticket or copy the whole response here?

The whole response was:

"We found that hosting the PAC file on a HTTPS site is never supported by us  and it’s a By-Design behavior to see this since the CRL-check for the HTTPS-site requires the PAC file again(doesn’t work with https and works with http). Chrome had the same previously and they recently agreed to resolve this request which you see.

As far as IE and Edge are considered- due to the Certificate Revocation List option in the settings that comes into picture while considering secure connections, it ensures that a secure channel is established correctly (via SSL connection) and the SSL-tunnel requires validation - and that will require another http-request. So this was never supported by us even previously( I suspect that it had worked previously if they access the CRL before checking the PAC file path and browse).”

Not sure I follow that logic though. Why did it work in 1809 without a problem and why does Chrome work without a problem on 1903?


3 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated October 8, 2020 Views 6,575 Applies to: