Users are intermittently prompted for credentials when they connect to Internet via ProxySG or ASG. It could be caused by Netlogon Bottleneck (or Authentication Bottleneck).
For more information about the issue, please refer to Microsoft Support
NOTE: Netlogon service on Domain Controller is responsible for creating Secure Channel between Domain Controllers and clients (ProxySG/ASG in this case).
Secure Channel is created to pass the authentication packets.
When the issue is happening, check following data to confirm the issue is caused by Netlogon Bottleneck:
1. In Event Log, there are many Authentication Failed with code 40404
"Authentication failed with 40404 (0x00009DD4) (symbol: ''): user 'USER-NAME' (domain DOMAIN-NAME) - user considered 'unknown'"
2. Enable LSA/Debug
Go to https://:8082/LSA/Debugmask > enable all debug masks apart from MODULE_SGOS_FDIO and MODULE_LWIO > click Set Mask to apply the change > click View Debug Log
Wait for the issue occurs again > click Update button > look for Tread message
"No Schannel slots available. Waiting for next available slot."
3. Check the value of "Available (unused) connections"
Go to https://:8082/LSA/Stats
The value of "Connections in use" is the number of Schannel configured on ProxySG
You might find the value of "Available (unused) connections" is 0.
ProxySG or ASG joins a Windows Domain, IWA_Direct/NTLM method is used for user authentication,
There is no Schannel available for Netlogon client, i.e. ProxySG or ASG, to use Netlogon service on Domain Controller.
1. Go to your AD/DC team to check MaxConcurrentApi value, if it is 2, increase it to 10 to provide ProxySG or ASG more Schannel for authentication connections.
Once the MaxConcurrentApi value in DC is increased, go to Management Console > Configuration > Authentication > Windows Domain > highlight the Domain > click Edit
increase Maximum number of concurrent Schannel connections: to 10
2. For Explicit deployment, the issue can be eased by using IP-Surrogate
NOTE: IP-Surrogate cannot be used for shared machines, Citrix , NATed environment
go to Management Console > Configuration > Policy > Visual Policy Manager > Launch VPM > Web Authentication Layer > Action > Mode: Proxy IP
3. The issue can also be fixed by using IWA_Direct/Kerberos authentication which is recommended for more efficient authentication method.