"Allowing or permiting authentication failures on the ProxySG"

You want to allow certain authentication errors because you do not want your users to be denied web access based on these errors. For example, if a user's password has recently expired, you may want to continue allowing them to access the web when authenticating to the ProxySG until they have the opportunity to change their password. The ProxySG can be configured to allow the request when specified authentication failures are received from a directory server such as Active Directory.

This document assumes that a properly configured and functioning authentication realm exists and policy is also configured to use that authentication realm.

For the example given below, "Authenticate1" is the name used for the authentication realm.

To allow or permit the any authentication failures:
-------------------------------------------------------------------
1. Go to the existing Web Authentication Layer.
2. At the existing rule --> Click on the Action tab (Authenticate1).  Click on Set > New > Combined Action Object
3. The Add Combined Action Object dialog will appear.  Click on New --> Select "Permit Authentication Error"
4. The Add Permit Authentication Error Object dialog will appear. 
5. Click the "Selected Errors" radio button.
6. For a granular list of errors, select "All errors" from the "Show" drop-down menu.
7. Select the authentication errors that you want to be allowed and then click the OK button. For example: "account_must_change_password"
8. Select "Authenticate1" and click the Add button to move it to the "Selected Action Objects" list.
9. Then select the new created object "Permit All Authenticate Errors" and click the Add button to move it to the "Selected Action Objects" list.
10. Now  both objects (Authenticate1 and Permit All Authenticate Errors) are listed under the "Selected Action Objects".
11. Click OK
12. Click "Install Policy" and test.