Proxy Prompt at logon ? (stores credentials plaintext)

[KrisJanssen]

Describe the bug Azure Batch Explorer Logon behavior is very different from Storage explorer. We run bot Batch and Storage explorer on a VDI/WVD host pool to connect to private endpoint batch and storage accounts respectively.

ADFS sign-on with Storage Explorer always works flawlessly in line with our conditional access policies.

Batch explorer sign-on will randomly stop working until we clear out AppData folders, at which point, Batch Explorer throws up a 'Proxy' Dialog:

This dialog does not mention a proxy but accepts my Azure AD credentials, after which normal MFA sign-on can proceed.

Can someone please explain what this is?

To Reproduce Steps to reproduce the behavior:

1. Clear Any Batch Explorer cach from C:\Users\\AppData\Romaing
2. Logon will present 'Proxy Dialog'
3. Dialog accepts AD uname and pwd
4. Normal Azure AD sign-on can only complete after completing proxy dialog, even though we do not work with a proxy

Expected behavior Normal Azure AD sign-on with MFA as with torage Explorer, we do not use a proxy.

Version (please complete the following information):

• OS: Windows (WVD host)
• Version 2.17.0 Stable (and all versions preceding it)

[KrisJanssen]

I have looked into this further:

If I do not enter valid credentials in the proxy prompt, Authentication cannot occur:

If I enter a valid username but an invalid password, II get a blank screen:

This is not only bad UX (it is not apparent in the latter case what is wrong) and it is also a potential security issue as Batch explorer saves credentials it prompts for in plaintext:

Note how the URL's for proxy are empty but credentials are populated.

What is the purpose of the seemingly default proxy prompt and why is it only seemingly triggered when running Batch Explorer on a WVD and not on my local machine?

https://github.com/Azure/BatchExplorer/blob/7f850860ef6f00ae820ef31cd218f9c94dd48c2a/desktop/src/client/core/batch-explorer-application.ts#L231

[KrisJanssen]

I found this issue might be related to https://github.com/Azure/BatchExplorer/issues/2429

@dpwatrous , @rfernand2

[gingi]

Hi Kris,

Apologies for this behavior. I don't think I've seen Batch Explorer prompt a user for proxy creds unless the user specifically opts to configure them and it doesn't make sense to me that it would. ADFS has caused some issues in the past. I will look more closely into what causes this behavior.

Relatedly, we are in the process of deploying a first-party AAD app that will allow us to support conditional access and other more advanced AD scenarios, the way Storage Explorer does. Right now we're restricted by virtue of a legacy AAD app. But until that's done, I'll see if we can address this behavior specifically. We are also planning to store proxy creds in a secure data store (those creds should never include your AAD password). Would you be able to send a zip of the logs to shpaster at microsoft dot com?

[KrisJanssen]

No problem at all, already happy it wasn't my imagination :)

The oddity is that the 'proxy dialog' only triggers when running Batch Explorer on VDI or Azure hosts which are mostly isolated by NSG or a FW and can only connect to required service tags.

On my personal device, no such thing (but then that does not have access to certain private endpoint batch accounts):

I have looked into the bootstrapping code of the app and I can see locations where the dialog might be triggered but I am not really set up for JS/TS development so I cannot quite figure it out.

Also odd: the dialog only has uname and pwd fields when triggered at app startup, whereas when manually opening proxy settings, you get the full dialog...

Then to top it all off: what you enter in the dialog for uname and pwd does affect wheter the app functions or not...

[KrisJanssen]

Hi @gingi, would there be an update on this one by any chance?