Authenticated users appear as machine names or Anonymous Logon in ProxySG/ASG logs

book

Article ID: 167528

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

In access logs, policy traces, or authenticated user lists, you see "NT AUTHORITY\ANONYMOUS LOGON" (or language variation) and machine names (names that end with a dollar sign $) instead of usernames.

 

Resolution

In cases where the ProxySG or Advanced Secure Gateway (ASG) appliance requests authentication before a user logs in to their workstation, Windows Server instructs the appliance to use either the workstation name (ending with $) or 'NT AUTHORITY\ANONYMOUS LOGON' as the authentication surrogate.

We can use the following Content Policy Language (CPL) code to log out the Workstation Machine name and have the User authenticate again  (Recommended CPL).


; Logout Windows machine accounts
<Proxy>

define condition IWA_SILENT_USERS
     user="NT AUTHORITY\anonymous logon"
     user="AUTORITE NT\anonymous logon"
     user.regex='.+\$$'
end condition

realm=realmname condition=IWA_SILENT_USERS user.login.log_out(true)



NOTE: Where the IWA realm name, as exactly seen in configuration, is entered in place of the Highlighted section in red. The above CPL will only work for a single realm if you have multiple realm you can use the below CPL instead.
 


; Logout Windows machine accounts
<Proxy>

define condition IWA_SILENT_USERS
     user="NT AUTHORITY\anonymous logon"
     user="AUTORITE NT\anonymous logon"
     user.regex='.+\$$'
end condition

define  condition IWA_SILENT_REALMS
realm=realmname
realm=realmname
realm=realmname
end condition IWA_SILENT_REALMS


condition=IWA_SILENT_REALMS condition=IWA_SILENT_USERS user.login.log_out(true)


If you're using Windows SSO the above CPL will have no affect as we're retrieving the user credentials VIA the BCAAA agent which in turn (depending on configuration) will be querying the Windows Domain Controller directly. To replicate this change for a Windows SSO environment we will need to login to the appropriate BCAAA Windows server. Once logged into the Windows server follow the below steps to make the appropriate changes:

  1. Browse to the BCAAA installation directory (default %programfiles(x86)%\Blue Coat Systems\BCAAA\)
  2. Open the sso.ini file in a text editor
  3. Search for the line containing NetShowServices
  4. Directly below this line add the following text NT AUTHORITY\anonymous logon (See IMG1.1 for reference)
  5. Save the changes and close the file
  6. Restart the BCAAA service (WinKey + R > services.msc > Right-click BCAAA > Restart)

IMG1.1:

Attachments