SPS r12.52 SP1 (CA Access Gateway) strips out a Basic Authentication request from backend server. (worked correctly in SPS r12.0 SP3)

Document ID : KB000100992
Last Modified Date : 13/06/2018
Show Technical Document Details
Issue:
A Web Application resides behind CA Access Gateway (SPS) r12.52 SP1 and is protected with Basic Authentication natively by itself (not by Policy Server).
 
SPS strips a HTTP header “WWW-Authenticate” from the backend.
 
As a result, access to the backend application results in HTTP 401 error while the access was working in SPS r12.0 SP3.
Environment:
CA Access Gateway (SPS) r12.5 or later
Resolution:
Since SPS r12.5 there is an additional parameter :

(1) For authenticated backed connections which require pass through the setting is:
<nete:forward connection-auth="yes">
The addition of : connection-auth="yes" will transfer the WWW-Authenticate header to the client and it will then work as expected.
 
(2) As for regular expression rule, the XML Schema shows that the element nete:result may have the attribute. (See <secure-proxy>\proxy-engine\conf\dtd\proxyrules.dtd)
However, the attribute of: connection-auth="yes" does not work in this case such rule as following:
<nete:result connection-auth="yes">
This is a defect which will be fixed in the future release.