Windows 8.1 metro apps behind authenticated proxies

Hello all, 

We use a SAML authenticated cloud proxy. (Zscaler). Windows 8.1 rollout is entirely forgotten about in our environment as metro apps behind such a setup are a non starter. I have been running test deployments onsite and the best solution for metro apps at this point is 'whitelist the URL to use no authentication'. 

Is there any kind of roadmap to incorporate this badly needed feature? we have 1 user in the enterprise (unfortuntately the CEO) that seems to find the surface really neat, however, I get CONSTANT calls from this guy on the weekend because whatever newspaper app stops working every single time his 2 week long authentication token runs out. 

Every time this occurs, I have to run a wireshark and try and guess at what links he's clicking on and fish every single URL out of wireshark and whitelist that. It's really really terrible to have to do and despite having gotten very good at doing it, it's extremely tedious and must be done for every single application.

Is microsoft aware of this issue and are they going to build in a browser call when an authentication request is detected ?

If windows 10 also goes this route, I fear we will be stuck on windows 7 for years. which is a nice OS, but it's starting to show its age a little. 

May 7th, 2015 11:44am

Hi dogfish,

The main issue is to configure the proxy for the Windows Store App ,right ?
Here is a link for reference:
metro app fails to connect the Internet due to proxy settings
http://blogs.technet.com/b/asiasupp/archive/2012/09/11/metro-app-fails-to-connect-the-internet-due-to-proxy-settings.aspx

Best regards

Free Windows Admin Tool Kit Click here and download it now
May 8th, 2015 4:11am

Hi, no proxy configuration is not the issue. the issue is no metro app at all can perform the authentication routine at all. so every user can use all apps until their auth cookie expires, then all apps stop working until you authenticate with a web browser again, which is unworkable. the proposed ms solution of 'whitelist every url an app connects to and to contact the application vendor for a list of those urls, is also unworkable. what i want to determine is if Microsoft recognises this as an issue, and if there is something on the roadmap to fix it. we use ADFS from microsoft to authenticate our users and the fact that all metro apps break during this procedure if user input is required is maddening
May 8th, 2015 4:50am

Hi dogfish,

" so every user can use all apps until their auth cookie expires, then all apps stop working until you authenticate with a web browser again, which is unworkable"

Considering you are working with ADFS (Active Directory Federation Services ),I am afraid this symptom is expected and designed by default.
Here is a link for reference(Pay attention to "Scenario Description"part ):
Developing Modern Applications using OAuth and Active Directory Federation Services
https://msdn.microsoft.com/en-us/library/dn633593.aspx?f=255&MSPPError=-2147217396

Best regards

Free Windows Admin Tool Kit Click here and download it now
May 10th, 2015 10:57pm

Hi, 

So microsofts design solution is 'you can never use an authenticating proxy (SAML authentication) with windows 8 applications' 

I find it hard to believe this is the intention. it's clearly a very glaring error? If MS actually expects windows 10 to gain traction in the enterprise where authenticating proxies are almost the standard... how are any of us IT guys actually supposed to provide apps at all? 

It sounds like the only way I can make this workable is absolutely restrict access to any app, then whitelist them on an individual basis as well as all the urls they use over time. 

It's simply not workable at all and turning off the app store entirely will pretty much be the only option we have to work with this. 

May 12th, 2015 6:45am

Hi dogfish,

The apps will work for a while, right?

"So microsofts design solution is 'you can never use an authenticating proxy (SAML authentication) with windows 8 applications' "

I am afraid we may have something misunderstand here.
According to the link I have posted.Obviously the ADFS (Active Directory Federation Services ) authorization is supported.

Pay attention to this sentence:
"The token presented by the client to the ToDoListService Web API is a bearer token. The ToDoListService Web API validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasnt expired and may possibly also validate other claims (such as the upn claim) in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent"
According to my understanding, the ADFS (Active Directory Federation Services ) authorization is supported but the token will be expired.

We can refer to the following link to check the related token lifetime and set the token lifetime to have a check.
Claims-based authentication and security token expiration
https://technet.microsoft.com/en-us/library/gg188586(v=crm.6).aspx

If there is anything else I have missed,please fell free to let me know.

Best regards

Free Windows Admin Tool Kit Click here and download it now
May 12th, 2015 10:30pm

yes, I think we are having a misunderstanding. 

The issue isn't about ADFS at all really. it's about this 

https://support.microsoft.com/en-us/kb/2778122

which claims is fixed in 8.1 and is not. as part of our cloud hosting routine if you are not authenticated (don't have a valid token) you'll be redirected to the authentication page, which depending on whether or not you are from a 'known' location or not will either automatically begin SAML authentication or it will request you fill in your email address so the cloud proxy knows where to redirect the client for SAML authentication.

metro apps just fail on the redirect. I can wireshark and see a whole bunch of 307 temp redirects and a broken app. For every single app unless I whitelist/non authenticate every url.


May 13th, 2015 1:14am

Hello,

Have you installed this hotfix?

3031436 Windows Store apps cannot be updated automatically when proxy service is used in Windows
http://support.microsoft.com/kb/3031436/EN-US

Free Windows Admin Tool Kit Click here and download it now
May 13th, 2015 1:27pm

this update is not applicable to a windows 8.1 computer x64 enterprise with all updates installed. 
May 13th, 2015 4:53pm

Hello,

I would suggest opening a support case then to diagnose your proxy scenario.

There have been a lot of fixes taken for proxies, this was the latest one I could find.

Free Windows Admin Tool Kit Click here and download it now
May 13th, 2015 6:05pm

If your conversation with Microsoft Support yields a workaround or solution, please be sure to report back here so that others in your situation can find the information without separately having to open a support case.

Brandon
Windows Outreach Team- IT Pro
Windows for IT Pros on TechNet

May 26th, 2015 3:21pm

I won't be logging a call with Microsoft on this. we don't have a support agreement and I don't want to pay $250 or whatever the one off fee is to be told 'whitelist the urls...' which lead me to begin forum discussions. 

Our enterprise can just be one of those ones that clings to windows 7 for too many years.

Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 6:41am

Hi dogfish,

"this update is not applicable to a windows 8.1 computer x64 enterprise with all updates installed. "

After a double check of this case, I found that the hotfix KB3031436 is applied to Windows 8.1 Enterprise.
We can get the information from the "Properties" tab from the following link. To install this KB, KB2919355 should be installed first. Please manually install them to have a check.
Windows Store apps cannot be updated automatically when proxy service is used in Windows
https://support.microsoft.com/en-us/kb/3031436/en-us

Best regards

May 27th, 2015 9:53pm

I attempted to install the hotfix on my affected machine and received a message that it wasn't relevant, hence my response. 

In any case, this looks promising for me.

http://directaccessguide.com/2015/03/11/new-windows-8-1-ip-https-proxy-hotfix/

we indeed are direct access users and do have 1 cert in the store. as such I'll begin testing this now. 

Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 8:08am

Hi dogfish,

How about the issue, is there anything to update?

Best regards

June 17th, 2015 9:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics