Open Radar

 
Summary:
Our environment uses authenticated proxy servers.
Specifically; Blue Coat appliances using SPNEGO (NTLM/Kerberos) authenticating to Active Directory DC's
Authentication to these servers is done via NTLM on iOS 
When accessing a website using Safari, the user is presented with a dialog box requesting
their username and password.
When the user enters these credentials they are, (I assume), saved into the keychain on iOS
The problem occurs when the users password is reset or changed in the AD domain.
When the password is changed, the proxy server requests new authentication details for each http request.
When the user provides these new credentials they are able to browse the internet as expected.
However when the user visits a https site or navigates to a http site that then uses a 302 redirect to a https site
such as when visiting http://www.google.com which then redirects to https://www.google.com.au
the user is presented with a request for username and password for the HTTPS proxy, however instead of allowing access
the connection is dropped and the page does not load. 
Access to http websites is still fine and no issues are apparent when browsing only http websites.

Steps to Reproduce:
1. Start with a clean restored iPad at the "Hello" screen
2. Run through the setup assistant to get to the home screen
3. Join our wireless network - authenticate via 802.1x user auth
4. Accept/trust the NPS certificate
5. Enable the Auto setting for the proxy (our proxy pac file is delivered via DHCP)
6. Open Safari
7. Browse a http website such as www.subaru.com.au
8. Enter in username and password into prompt
9. Browse the website and ensure web page loads.
10. Browse to a secure website such as https://www.google.com.au
11. Enter in the username and password into prompt
12. Ensure you are able to perform searches and access other https secure sites such as facebook.com 
13. Change the users password in AD.
14. Wait approximately 5-10 minutes for the updated user account to replicate throughout the domain.
15. Navigate to a http website such as www.toyota.com.au note that you are prompted for username and password
16. Enter in the username and new password. Note that you are able to browse to http websites without issue
17. Navigate to a https website such as https://www.google.com.au
18. Note that you are prompted for authentication. Enter in your username and new password
19. Note that the connection is dropped and the web page does not load.
20. Attempt to load other https websites such as facebook.com. Note that the connection is dropped and the web page does not load.

Expected Results:
When the user is prompted for HTTPS credentials the user should enter these details and be able to access https websites

Actual Results:
The user enters in their new updated credentials for access to https websites and the connection is dropped and the website does not load. 

Regression:
Tested on iOS 9.3.2, 9.3.3, 9.3.4 and iOS 10 betas DP4 and DP6

Notes: