After initially working correctly, your users start receiving a browser popup requesting their credentials, but those credentials are not accepted.
When all 4 proxy ports 8080-8083 are configured, the SWG will assign a proxy instance per port. However, if all traffic is being sent to only one of the active ports, it can overload the NTLM 407 proxy authentication system for the instance active on that port.
Alternatively certain client programs that are not proxy-aware are known to exacerbate this issue by bombarding the gateway with several thousand uncompleted authentication requests per minute.
The problem can be temporarily remediated by disabling and re-enabling LDAP in the SWG interface.
Reduce the number of active proxy instances on the SWG to only one running on port 8080. The SWG will automatically load balance all 4 proxy instances on this port if no other ports are configured.
Spread the browser proxy connection settings over all 4 proxy instances on ports 8080-8083 by using separate GPO policies or using a PAC file to randomize the port used.