CLE going through a Proxy fails connection with Internet Explorer 8 or 9

  • 7014422
  • 16-Jan-2014
  • 16-Jan-2014


NetIQ Identity Manager 4.0


Client Login Extension (CLE) does not send the user to the Forgotten Password link when going through a Proxy that needs a certificate.  It just hangs or brings up a prompt to accept the certificate.


CLE uses Microsoft's webcontrol interface to render web pages. In the webcontrol interface, the SSL related transactions such as CRL verification etc. are performed by the Windows Crypto Layer using WinHTTP API. The Windows Crypto Layer comes into action automatically depending on the transaction and is not directly controlled by CLE. If the WinHTTP API is not able to perform certain transactions, such as CRL validation, it would show a warning to the user.
The WinHTTP uses the proxy setting(s) for the user under whose context the process is initiated or running. Since CLE runs in System user context, the Windows Crypto Layer will run WinHTTP services under the same system user context and will use the proxy settings configured for system user. If no proxy information is present the WinHTTP services would try a direct connection and would fail if the direct connection is not possible. The WinHTTP API can be configured to use a proxy as detailed in
The (NetSH + WinHTTP) shell can be used to configure a static proxy for WinHTTP. It will not override the Internet Explorer proxy settings.
Alternatively the WinHTTP can be configured to use the settings from the IE for a given user ( ).
Problem Resolution: Based on the information above, the following steps are necessary (based on our testing) to make WinHTTP behave appropriately on your image and use a proxy.
1. Apply the Windows Updates to the workstation (minus any update to IE10 or IE11).
2. Use the NETSH command as outlined in the Microsoft Knowledgebase Article.
a. Open a command prompt and type "netsh" to get into NETSH mode
b. Type "winhttp" to get into WinHTTP mode.
c. Type "set proxy myproxy:80" and replace myproxy:80 with the IP address and port of your proxy.