search cancel

Proxy showing incorrect username in exception page thrown for blocked requests


Article ID: 238381


Updated On:


ProxySG Software - SGOS


  • ProxySG showing incorrect username in exception page thrown for blocked requests when multiple users are logging into the same server and trying to access a blocked website.
  • The username seen in the exception page is for the first user that logs in to the server


  • Whether or not reports show usernames for blocked requests depends on the order in which denial and authentication occur in the policies you have defined.
  • When the ProxySG appliance intercepts a client request, it uses the URL to determine the content category and, if the category is blocked based on your content filtering policies, the request will be denied before the user has been authenticated and the username is therefore not available for logging. This is because Deny has precedence over authentication.
  • This is explained in below article-:



  • Also, since the authentication mode is set to proxy-ip , proxySG creates a surrogate based on client ip after the client authenticates. This is explained in below article-:

Authentication modes for proxy deployment




Topology -:

[Server sharing multiple AD accounts]-----------[ProxySG using IWA authentication]--------------[Internet]

Setup -:

IWA is setup on proxySG. Name of Authentication Realm is 'MyRealm'

Authentication Rules -:


authenticate(MyRealm)  authenticate.force(no) authenticate.mode(proxy-ip)  

Default policy is set to deny


To force requests to be authenticated even in the case where the request is denied, you must include the authenticate.force(yes) property in the <proxy> layer of policy. 

Also, to ensure that correct username is captured in the exception page, set the mode to proxy

Create a rule above existing Authentication rule 

 client.address=x.x.x.x authenticate(MyRealm)  authenticate.force(yes) authenticate.mode(proxy)  
 authenticate(MyRealm)  authenticate.force(no) authenticate.mode(proxy-ip)

x.x.x.x = Server ip