Why you are getting a pop-up:
Before the video starts playing, the Flash player sends a POST request to open the video stream.
It is important to understand that HTTP POST requests cannot respond to a 302 redirected sent by the ProxySG appliance to redirect to the Virtual URL for authentication.
Therefore, the ProxySG appliance sends back a 401 as an 'origin' challenge, instead of sending a 302-redirect in the form of an 'origin-redirect' challenge.
The browser therefore thinks it is the OCS (Website) asking for authentication, not the ProxySG. The browser will not automatically send its IWA/NTLM credentials for an 'origin' challenge, but creates a pop-up instead.
How to resolve the issue:
To resolve the issue, you can do either of the following:
1) Do not authenticate 'POST' requests
2) Do not authenticate the source User-Agent 'Shockwave Flash'
3) Do not authenticate the source Content-type: application/x-fcs
Here is what the HTTP POST request looks like from the BBC player:
POST /open/1 HTTP/1.1
User-Agent: Shockwave Flash
This is the player requesting the video stream to open. As we already know, POST requests cannot be redirected to the Virtual URL and so a Pop-up is created on the browser for authentication instead.
In CPL, the resolution would look like this: