Can not connect to SharePoint Store via Proxy

You have a SharePoint 2013 farm and you have configured apps as defined following articles;

Configure an environment for apps for SharePoint (SharePoint 2013)
https://technet.microsoft.com/en-us/library/fp161236.aspx

Enable apps in AAM or host-header environments for SharePoint 2013
https://technet.microsoft.com/en-us/library/dn144963.aspx

http://www.nothingbutsharepoint.com/2013/02/13/configure-an-environment-for-apps-for-sharepoint-2013-aspx/

(In this article we have assume that you dont have any configuration problem)

After you have enabled SharePoint Store Access , you have facing when we go to Apps and click on Purchase app’s we see an error “Sorry we cannot seem to connect to the SharePoint Store. Try again in a bit later” .

but when you check from Browser there is no Access issue for the Office.microsoft.com

You have suspecting that it may be a Proxy issue ; Good news thats very likely you right.

In normal condition we should see a credential prompt because of the Proxy Auth request but it is not happening well because it is worker process making that request not the browser.

To able to handle this issue , you should add https://store.office.com and https://office.microsoft.com to IE trusted sites because of automatic logon option should provide concurrent user credentials when proxy ask.

Another problem;

Proxy authentication can not be done by IIS Worker Process (where sharepoint run) even we have configured <defaultproxy> settings correctly in related web application web.config. we have seen in network traces SharePoint Worker Process somehow could not passing the credentials (we are expecting Application Pool Identity should in use) to proxy server making like an anonymous request so the Proxy server so it has been rejecting authentication . In our last log analysis and session we have identified the root cause of the problem : One of The IIS Site web.config settings is causing the issue <appSettings>
<add key=”aspnet:AllowAnonymousImpersonation” value=”true” />
</appSettings>

https://msdn.microsoft.com/en-us/library/hh975440(v=vs.120).aspx

To enable this setting, you must have IIS 7 or IIS 7.5 or upper running in Integrated mode (which SharePoint works like this)  When this setting is enabled, the application runs under the security context of the IUSR identity. Additionally, creating a Forms-based Authentication Web Application (Which Sharepoint in Claims mode we have to enable forms auth)  will enable the setting and set it to true.

This is a design issue of how IIS works. The issue happenning because of the application runs under the security context of the IUSR identity and the <defaultproxy>  useDefaultCredentials ”true” it passes IUSR’s credentials to proxy which is anonymous , it is not a real domain user.

For resolution:

– We can remove this from WFE servers but it is require to make some tests that you don’t facing the problem of “SharePoint impersonates the IUSR account and is denied access to resources” and verify your sites and sharepoint components are working correctly. To workaround the issues, you need to determine if the setting is mandatory for your environment, and if not, you can set it to ‘false’. https://support.microsoft.com/en-us/kb/2686411

Important  : if you disable this feature, then anonymous users are impersonating the application pool account. Which would be an elevation of priviledge.

– You can add an exclusion on Proxy server from SharePoint Server internet requests may not required any authentication .

– You can test to create a simple proxy module (which requires custom code development and IIS module integration) handle the proxy authentication.