By definition, challenge-based authentication displays a credential dialog to users each time they open a web browser. Users must enter their corporate network username and password into the dialog and click Accept before performing web content requests. In this context, this feature is also commonly referred to as Captive Portal. Under certain circumstances, we need to force the Unified Agent to request authentication instead automatic detection. This behavior is well used for remote user that need to validate his credential to Web Security Service and his workstation does not be part of the active directory. In that way, we can enforce any policy declared in Web Security Service for this user. This configuration will force all Unified Agent to request username and password for any circumstance. If the Unified Agent goes into passive mode this behavior will be bypassed and the credential will not be requested.
Auth Connector must be configured and successfully running. Your Active directory must be synchronized with the Portal in order to validate the username and password.
The Unified Agent status cannot be "passive mode". This means that cannot be running behind a protected location using another access method from Web Security Service (Firewall VPN, Explicit Proxy, etc)