search cancel

Why do valid users get logged as guest on ProxySG; (invalid_surrogate)?


Article ID: 167748


Updated On:


ProxySG Software - SGOS


There can be many reasons why valid users are logged as "guest" on the ProxySG, such as being caused by a misconfiguration or a client that doesn't support authentication in the manner presented by the proxy. However, this article points out a specific configuration setting that may cause unexpected logging and access. 

The "invalid_surrogate" error, when selected in a Permit Authentication Errors action in policy, can automatically cause the ProxySG to log a valid user as "guest" after the surrogate (cookie, IP, or connection) from a previous authentication has expired. 

For example, consider the following conditions to understand how this situation can occur:

  • "Guest Authentication" is configured on the ProxySG
  • User opens a browser to access the internet through the proxy
  • Proxy successfully uses NTLM to authenticate the user and logs him with his domain username of bob.kent
  • Proxy caches the cookie it used as the authentication surrogate for the configured "Refresh Time" of 15 mins
  • Proxy allows the user to access the internet but after 15 mins, the authentication cookie that the browser continues to present is expired
  • Proxy logs the user as "Guest" since the "invalid_surrogate" error is permitted by policy and subsequently the user is limited to the guest access level 

Ultimately, this behavior is likely to be unexpected and can be considered a problem for user experience. To avoid this, the "invalid_surrogate" error needs to be deselected from the Permit Authentication Errors action in policy. 

See 000008712 for steps on configuring "guest authentication". When configuring the Permit Authentication Errors action, do the following to deselect only "invalid_surrogate" so that all other errors required for guest authentication will be permitted.

  1. Click the "Selected errors" radio button
  2. Select "All errors" from the "Show:" drop-down menu
  3. Select "All Except User Credential Required"
  4. Expand the "All Except User Credentials Required" list
  5. Expand the "Invalid User Information" list
  6. Deselect the "invalid_surrogate" error check box (see visual example below)
  7. Click OK

User-added image