Topology -:
[Server sharing multiple AD accounts]-----------[ProxySG using IWA authentication]--------------[Internet]
Setup -:
IWA is setup on proxySG. Name of Authentication Realm is 'MyRealm'
Authentication Rules -:
<proxy>
authenticate(MyRealm) authenticate.force(no) authenticate.mode(proxy-ip)
Default policy is set to deny
https://knowledge.broadcom.com/external/article/167300/what-is-the-difference-between-authentic.html
Authentication modes for proxy deployment
To force requests to be authenticated even in the case where the request is denied, you must include the authenticate.force(yes) property in the <proxy> layer of policy.
Also, to ensure that correct username is captured in the exception page, set the mode to proxy
Create a rule above existing Authentication rule
<proxy>
client.address=x.x.x.x authenticate(MyRealm) authenticate.force(yes) authenticate.mode(proxy)
authenticate(MyRealm) authenticate.force(no) authenticate.mode(proxy-ip)
x.x.x.x = Server ip