There can be many reasons why users may receive authentication pop-ups. This article explains only one specific example. 

When NTLM authentication for proxy authentication is employed, authentication pop-ups display when you change the Windows password by password policy.

Condition:
Authentication pop-up box displayed when customer change the windows password by password policy.
A special application is used to change the Windows password, which causes the authentication pop-up.

Troubleshooting steps:
1. To check authentication password: Change the authentication method for only basic credential (this option is just for troubleshooting so that you can confirm with a packet capture the actual password being sent from the browser).
2. BCAAA debug: see Gather BCAAA debug logs
3. Take a packet capture (PCAP)

Potential Results:
From PCAP:  Windows client used an old password for Proxy authentication. If this is the case, the problem is not caused by the ProxySG but rather the client sending an incorrect password.