Windows 7 and Windows Vista users report Intermittent Internet access problems accessing the Internet through the ProxySG. In this instance, the symptoms are as follows:
This is a known issue unique to ProxySG deployments where IP-based authentication surrogate modes are used with IWA or Windows SSO authentication. In these cases, the appliance is saving credentials that appear as follows: machinename$ or NT AUTHORITY\ANONYMOUS LOGON. Since this isn't the user's actual user ID, policy rules for AD users and groups fail to match, and the user is unable to access web resources to which they should have access.
Here's the timeline of events that lead to this behavior in a typical IWA authentication deployment :
For Windows SSO deployments, the process is a little different:
The end result in both cases is the same -- users aren't tracked in policy or access logging correctly.
In both authentication realm types, the following simple CPL policy will correct this behavior:
url.domain=msftncsi.com authenticate(no) allow
deny.unauthorized condition=SILENT_USERS realm=<REALM_NAME>
define condition SILENT_USERS
user="NT AUTHORITY\ANONYMOUS LOGON"
user="NT AUTHORITY\Anonymous logon"
Windows SSO scenarios have the flexibility of an additional solution. Edit the SSO.INI file, (found on the server running BCAAA) as follows:
Now, when BCAAA queries the domain to identify users in this scenario, BCAAA will know that ANONYMOUS LOGON is a service account and not to be used to authenticate proxied user requests.