Forward the Domain and Username Information (WinNT://Domain\Username) from the child proxysg to upstream proxysg or single proxysg to DLP, and then pass via ICAP:-
Child Proxy - Local Policy Files
------------------------------------------
<Proxy>
action.ControlRequestHeader1(yes)
define action ControlRequestHeader1
set(request.x_header.username, "$(user.domain)\$(user.name)")
end action ControlRequestHeader1
Parent Proxy - Configuration -> Authetntication - Policy Substitution - User Information (Ignore this on Single ProxySG)
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Realm name: ad
Username: $(request.x_header.username)
Full username: $(request.x_header.username)
Parent Proxy - Local Policy Files (Ignore this on Single ProxySG)
------------------------------------------------------------------------------
<Proxy>
Authenticate(ad)
Please note that on ICAP configuration make sure the send autheticated-user is enable.