Docker desktop keep asking for proxy authentication after update to 4.15.0

[Renan-Di]

• [x] I have tried with the latest version of Docker Desktop
• [x] I have tried disabling enabled experimental features
• [x] I have uploaded Diagnostics
• Diagnostics ID: 2B17A628-3759-4CB8-AC03-78926031FBFF/20221213114212

Actual behavior

After start docker asks for proxy authentication, providing authentication does nothing besides updating existing credentials in the windows credential manger, dokcer keeps asking forcredentials forever.

Expected behavior

After providing the credentials docker reuses it until anything change.

Information

Here at work we use a NTLM proxy configured system wide, as docker automatically detect proxy configuration i dont needed to configure it manually inside docker, in the first use docker asked for proxy authentication, after provided docker stores it under windows credentials and reuses it. Yesterday i upgraded from version 4.14.1 to 4.15.0, after docker restarted it asked for credentials, providing it, updated the credentials at wincred but docker keeps asking for credentials after that. Setting the proxy configuration inside docker works fine and reuses alerady existing creds in wincred but the former behavior is desired.

• Windows Version: 22H2 22621.819
• Docker Desktop Version: 4.15.0
• WSL2 or Hyper-V backend? WSL2
• Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

[2022-12-13T11:57:31.836869700Z][com.docker.diagnose.exe][I] set path configuration to OnHost Starting diagnostics

[PASS] DD0027: is there available disk space on the host? [PASS] DD0028: is there available VM disk space? [PASS] DD0002: does the bootloader have virtualization enabled? [SKIP] DD0018: does the host support virtualization? [PASS] DD0001: is the application running? [PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled? [PASS] DD0021: is the WSL 2 Windows Feature enabled? [PASS] DD0024: is WSL installed? [PASS] DD0025: are WSL distros installed? [PASS] DD0026: is the WSL LxssManager service running? [PASS] DD0029: is the WSL 2 Linux filesystem corrupt? [PASS] DD0035: is the VM time synchronized? [PASS] DD0017: can a VM be started? [PASS] DD0016: is the LinuxKit VM running? [PASS] DD0011: are the LinuxKit services running? [PASS] DD0004: is the Docker engine running? [PASS] DD0015: are the binary symlinks installed? [PASS] DD0031: does the Docker API work? [PASS] DD0013: is the $PATH ok? [PASS] DD0003: is the Docker CLI working? [PASS] DD0005: is the user in the docker-users group? [PASS] DD0014: are the backend processes running? [PASS] DD0007: is the backend responding? [PASS] DD0008: is the native API responding? [PASS] DD0009: is the vpnkit API responding? [PASS] DD0010: is the Docker API proxy responding? [PASS] DD0006: is the Docker Desktop Service responding? [PASS] DD0012: is the VM networking working? [SKIP] DD0030: is the image access management authorized? [WARN] DD0033: does the host have Internet access? unable to fetch http://docker.com/ [PASS] DD0002: does the bootloader have virtualization enabled? [PASS] DD0018: does the host support virtualization? [PASS] DD0001: is the application running? [PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled? [PASS] DD0021: is the WSL 2 Windows Feature enabled? [PASS] DD0024: is WSL installed? [PASS] DD0025: are WSL distros installed? [PASS] DD0026: is the WSL LxssManager service running? [PASS] DD0029: is the WSL 2 Linux filesystem corrupt? [PASS] DD0035: is the VM time synchronized? [PASS] DD0017: can a VM be started? [PASS] DD0016: is the LinuxKit VM running? [PASS] DD0011: are the LinuxKit services running? [PASS] DD0004: is the Docker engine running? [PASS] DD0015: are the binary symlinks installed? [PASS] DD0031: does the Docker API work? [PASS] DD0032: do Docker networks overlap with host IPs?

Please note the following 1 warning:

1 : The check: does the host have Internet access? Produced the following warning: unable to fetch http://docker.com/

If the host does not have Internet access then containers will also not have Internet access.

The lack of Internet access could be caused by

• physical disconnection: check your ethernet cable or Wifi network
• the local network firewall policy: check with your IT department if access to docker.com is expected to work
• a VPN (or lack of one): try again with or without the VPN running

No fatal errors detected.

[ben-page]

Possibly related, since 4.15.0 our firewall sees all traffic from inside Docker as proxy traffic and is blocking.

[mamaruta]

This issue is also happening to me and it is a blocker. Is there a way to rollback the previous version without having to setup everything all over again?

[mdemierre]

Same at our organization, here with MacOS and Windows. We have a NTLM authenticating proxy, which does not always ask for authentication. They have a kind of IP-based session that only requires auth every N seconds, which can make debugging auth issues difficult.

It worked in 4.12 (thanks to the sessions I believe). It then got broken in 4.13-4.14 (couldn't login, support case: 00046201). Then it worked again in 4.15, thanks to the following change I think (even though it's marked as Windows): "Fixed an issue where the system HTTP proxies were not used when Docker starts and the developer logs in."

But now this infinite credential form bug appeared. I tried the manual as well as automatic proxy detection. Automatic proxy detection doesn't work at all. With manual config the problem appears.

Maybe there is an issue with reusing the credentials? Or maybe the behavior at startup that was fixed in 4.15 is special and does not behave like the rest of the proxy handling?

Diagnostics ID (MacOS): 22A14D31-8852-4F9A-89FC-9D04E7ECEE8B/20221216093010 (uploaded from CLI as GUI doesn't work properly)

I submitted a support case (mentioning MacOS) as we have commercial support. Case number is: 00049984.

[wglambert]

Did the 4.16 release resolve this issue? https://docs.docker.com/desktop/release-notes/#bug-fixes-and-enhancements-1

Fixed a bug where the user is prompted for new HTTP proxy credentials repeatedly until Docker Desktop is restarted.

[schenkjan]

Did the 4.16 release resolve this issue? https://docs.docker.com/desktop/release-notes/#bug-fixes-and-enhancements-1

At least in my work environment on my Windows machine the problem still perists with version 4.16 😢 .

[nathonfowlie]

Confirming I also get the persistent prompt on 4.16.1 when behind a corp proxy (Windows 8)

[mdemierre]

Still happening for us as well with 4.16.2 (MacOS 12.6.2). Did a full uninstall of 4.12 and then reinstalled 4.16.

Diagnostics ID: 22A14D31-8852-4F9A-89FC-9D04E7ECEE8B/20230120143227

[Renan-Di]

Still happening, i also observed that it stop's using the windows trusted certificates, in my case our docker repo uses a self signed certificate trusted by windows.

[mdemierre]

@Renan-Di This might indeed have an influence, in our case the proxy is using a certificate signed by an internal CA, which is installed in the MacOS or Windows trust stores.

[LongLiveCHIEF]

I'm still experiencing this on Mac with 4.16.2 (95914)

[djs55]

Thanks for the report. We've made some fixes in the HTTP proxy handling which could help. Could you try using a developer build and letting us know what happens?

• Windows
• Mac Apple Silicon
• Mac Intel

If you still experience the problem could you reproduce the issue, upload a fresh set of diagnostics and quote the ID here? Thanks in advance!

[mdemierre]

Hi @djs55 I tried to run the given MacOS ARM build.

Now I see one change: the proxy is auto-detected, I don't need to manually enter the configuration.

But unfortunately it still asks for credentials every time. And interestingly even with terminal I'm not able to upload diagnostics. I was able to do it before, due to proxy config being set in env vars and the proxy doing sessions (not asking for password every time).

Error uploading: Put "https://docker-pinata-support.s3.amazonaws.com/incoming/3/53F3E043-4D0F-4D50-8988-37BF3429C549/20230208161427.zip": context deadline exceeded

It seems to be linked to the credentials window, as if I close it the error is different.

I got out of VPN and proxy, and was able to upload diagnostics: 53F3E043-4D0F-4D50-8988-37BF3429C549/20230208161942

but it might not be useful since it was generated outside of the problematic network.

I checked as well that the credentials are saved in MacOS keychain. They are, with the right username and password.

I have support case 00049984. If you want you can contact me and we can experiment together live.

[djs55]

Latest developer build update for anyone who would like to try:

• Apple Silicon Mac
• Intel Mac
• Windows

[patrick-mota]

Same problem behind corporate proxy with the latest developer build linked.,..

I tried with domain\username + password, username + password, nothing works. Could the problem be from the chars in the password like !! or @# ?

Something interesting in this version, if I close the prompt (via x), the prompt doesn't appear anymore for few minutes and I can do docker pull.

If I try to docker pull or login from one of our internal registry (which is in "no proxy" in windows configuration so should not use the proxy) docker desktop will ask for username password of the proxy.

It's really strange.

I don't know if it will help you but I remember in the past with docker desktop, we had a bug because our windows 10 was in french, probably not related but who knows..

[patrick-mota]

I found a workaround to docker login to one of our internal registry...

I check "Manual proxy configuration" (toggle on) and I clean all fields (so they are empty).

Apply & restart => then docker login in wsl2 and it works but I can't pull any image from an external company registry (like docker hub).

Seems normal because I say to docker desktop "use proxy" and he will an empty proxy url.

So if the registry is internal, it doesn't require any proxy and will work. But if I pull an external one (like docker hub) it will not work since I need a proxy to go outside.

I have to choose between internal registry or external registry and redo this steps everytime.

I don't know if I remember well but in older Docker Desktop version, do we had the choice for "No proxy", "System", "Manual" ? Could be related ?

EDIT, Solution found for my problem: I set the manual proxy configuration in docker desktop and it seems (I don't know why) when I updated my docker desktop the "by pass proxy settings" was changed. I had a ; and a space between my hosts. I just changed ; to , and cleared all spaces.

Then I tried again to docker pull and it works perfectly... I hope it will keep working like that.

I don't know if the solution is a mix of my solution and the last dev build provided but thank you for following up the problem.

EDIT: Doesn't work again today, keeps asking for proxy username/password and I can't get any docker image from docker hub anymore.

[djs55]

@patrick-mota thanks for the feedback about the syntax for the bypass proxy settings. A comma-separated list is fine. We'll make this clearer by adding some description text to the UI.

[patrick-mota]

I found a working work around (for the moment...), I use CNTLM in windows 10 to create a local proxy which auth to our corporate proxy. I set this proxy in Docker Desktop and it works since it doesn't asks me for the password.

[mdemierre]

Hi @djs55 and others,

(Posting here a copy of my latest message on the support case 00049984 with some additional context)

When I removed the keychain entries added by Docker Desktop for the proxy credentials, everything worked at first. This is because our proxy keeps sessions and doesn't ask for credentials every time.

However, the problem reappeared after a while as expected. I guess the proxy asked for authentication. Docker re-added the keychain items with my credentials, and now asks for proxy credentials continuously again.

I upgraded to the public release from today as it has a more recent build number. So I am now on 4.17.0 (99724, MacOS ARM). I completely uninstalled Docker Desktop before installing 4.17.0, but didn’t remove the keychain item this time. This time the problem started to happen right away.

Like last time, I tried both the autoconfig and manual proxy config. Same results for both.

I wasn’t able to upload diagnostics as is, even from the CLI. I had to switch to a different Wifi network (without proxy) to send it.

Diagnostics ID: E6BD9C9E-8727-4320-8E21-8A758A9379A9/20230228092621

[adbe-glauser]

I can confirm the same issue on OSX ARM64 with 4.17.0, downgrading to 4.16.2 seems to have solved the issue. Looks like a regression, we see a few proxy related changes in the release notes.

[docker-robot[bot]]

There hasn't been any activity on this issue for a long time. If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale comment. If not, this issue will be closed in 30 days.

Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

[schenkjan]

/remove-lifecycle stale

[schenkjan]

I'm currently running v4.20.1 and the problem still persists.

[had1z]

I'm currently running v4.20.1 and the problem still persists.

I can confirm that the problem still exists on v4.20.1.

[last-Programmer]

I am also having the issue with v4.20.1

[Prikalel]

CNTLM guy seems to be the only solution

[couzhei]

Same for v4.23.0

[mocanuMatei]

Same for v4.23.0

Is there anyone from Docker who is looking into this? After one year the problem is still here.

[bsousaa]

@mocanuMatei @couzhei can you share a diagnostics id?

[blinkeye]

Same for v4.25.0 (126437), pristine installation. Diagnostics id: e453cffa-0abf-4ae9-bef3-b5f2edde5a4f/20231105183929

[DanielJerrehian]

Still facing this issue

[asafsilman]

Same issue on 4.24.2.

I'm using a CNTLM proxy with no auth (No username or password required to use proxy), and I still get this prompt every time docker tries to connect to the internet. This is the error I get in the command line when I close the dialog.

ERROR: failed to solve: ubuntu:16.04: failed to do request: Head "https://registry-1.docker.io/v2/library/ubuntu/manifests/16.04": password prompt closed

Diagnostics id: 459C42AF-AAA0-4350-9660-9D72146AFD0D/20231123011716

[asafsilman]

Hi there,

I've investigated this issue a bit more using wireshark. The issue appears to be that docker is forcing a Proxy-Authorization header when it is not required.

This dialog window which appears (see below) has no option for no credentials.

If I close the dialog it attemps to connect again using the credentials which I've previously entered. In this case U:a, P:a.

I'm not exactly sure how the proxy settings ended up getting in this state, but I was able to trick it by replacing the hostname with the proxy IP directly. This didn't prompt me for credentials. And inspecting the network traffic, did not include a Proxy-Authorization header.

Docker was able to successfully connect to desktop.docker.com, and appears to have fixed the issue.

Hopefully this helps in resolving this issue as I belive this is similar behaviour to what others have observed.

[mdemierre]

It seems like on Windows the NTLM and Kerberos proxies are now supported: https://docs.docker.com/desktop/release-notes/#4300. It might solve this issue for Windows users.

On MacOS I'm still using alpaca as local proxy, it does Kerberos auth transparently.

@bsousaa @djs55 Do you know if this feature is planned for MacOS and Linux as well?

[ArunPrakashsk]

Still getting this issue in the docker version 4.35.1 and getting the proxy After start docker , providing authentication does nothing besides updating existing credentials in the windows credential manger, docker keeps asking for credentials forever.