User authentication fails, the end user gets the generic "Access Denied" message from CloudSOC when they try to access any domain routed through CloudSOC.

Cloudsoc Gateway is configured with at least one Gatelet and the traffic is routed properly through Cloud SWG and CloudSOC

User authentication fails due to the fact that the Proxy chaining is configured to send the user NetBIOS ID only (Domain\User) which does not exist as a secondary user ID in the user profile in CloudSOC.

One of the main requirements for this to work is to add the Secondary User ID of all the Gatelet users and this can be done by one of the following ways:

1. Active Directory Sync using an instance of On-Prem SpanVA.
2. Manual update via either User API's, Batch User Updates or manual editing.

Observed behavior and settings when it is failing:

• No Secondary User ID synced on CloudSOC.
• The user look up fails in CloudSOC.
• Navigating to any gatelet domain fails with a CloudSOC message complaining about a missing user ID.

• On the CloudSOC, redefined the attributes to be used for Secondary User ID (CloudSOC Console > Settings > SpanVA)
• Forced a Full-Sync from SpanVA

Setting Up Proxy Forwarding to CloudSOC Gateway
The proxy chaining configuration can be modified so that the proxy would also send the user email to be used as another option for the user-lookup, here is the KB article that goes over this:
Use Email to Authenticate CASB GW for Proxy Forwarding