IE and Edge ignore PAC (proxy auto config) file

IE and Edge are ignoring PAC script file. The file is on a webserver using HTTPS. If changing the URL to HTTP it works fine. Is there any known issue with Windows? I started seeing this behavior with Windows 10 Build 1903 but I'm not sure if it wasn't present on previous builds.

Again, using https://someserver/script.pac does NOT work. Using http://someserver/script.pac works.

Note: This could potentially be an issue with WinHTTP, as other browsers work perfectly, like Firefox or Chrome. I'm not sure but I think they use WinINet.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

I appreciate your kind and prompt response.

My speculations:

Self signed certificates do not require getting a revocation list.
HTTP does not require SSL

IE/Edge/WinHTTP (?) starts the SSL handshake to get the PAC file. At this point Windows Certificate Services should validate the certificate and update the certificate cache. It is done in clear text (OCSP?). Microsoft struggles with the idea that Windows Certificate Services wont use the PAC file because the certificate validity of the host is not yet established. And who am I to question the infinite wisdom ....

A nice link Microsoft technet article about requiring authentication to access the actual WPAD/PAC file
 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Chris,

Thanks for sending the response. I'm also not too pleased to hear about that.. and I do not fully agree with this answer. According to Microsoft's own documentation HTTPS is suported:

https://docs.microsoft.com/en-us/windows/desktop/winhttp/winhttp-autoproxy-support

"Using the DHCP and/or DNS network protocols, the URL of a Proxy Auto-Configuration (PAC) file is discovered. The URL identifies a PAC file on the client's local network. WinHTTP supports only "http:" and "https:" PAC URLs; it does not, for example, support "file:" URLS."

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

To anyone following this thread,

Eric Lawrence from Microsoft was great in getting the answers, and updated me, regarding the Build 1903 issue we’re facing with HTTPS PAC URLs:

“So, unfortunately the news isn't good. Basically, your best path forward is to open a product support incident with Microsoft Support. This will ensure that you're able to track progress on getting this fixed and backported to 1903.”

“Windows 10 Build 1903 introduced a revocation check for the TLS certificate found when downloading the proxy configuration script from a HTTPS URL.

To avoid a recursive loop (downloading a OCSP/CRL requires figuring out what proxy to use), flags were passed to force the revocation check to only check the local cache and not hit the network.

Unfortunately, this new check failed to also specify that a "revocation data unreachable" should not be treated as a fatal error. As a consequence, HTTPS-served PAC scripts are likely to fail to download.

This will only impact PAC scripts that rely upon HTTPS certificates that specify revocation information (e.g. Fiddler's MITM certificates don't) and HTTPS servers that do not staple a cached OCSP-response to the HTTPS handshake.”

“Basically, there aren't a lot of good workarounds here. 1. If your clients use a private PKI that allows you to generate certs without revocation information, you could use that. Or 2. If the server serving the PAC data could use OCSP-stapling to staple fresh OCSP response data to the response, this should resolve the problem.”

Me: Thanks for all the information. Is there a link to an online response I can direct others to?  

“There's not, at present, a KB article or anything like that; the process that generates those is typically kicked off by the formal support incident.”

5 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I also encountered exactly the same problem on windows 10 1903 machine.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated October 8, 2020 Views 6,080 Applies to: