The expected behavior is that the user would be either denied access to Internet resources or they would receive a prompt from the ProxySG Appliance to authenticate with their domain credentials.
Because BCAAA functions by attempting to log a user in to the domain to test credentials for validity, in this unique instance, the workstation using the same credentials is reported to be valid.
The solution to this issue is to ensure that all BCAAA deployments use a username and password combination that are not used by any other servers, machines or users on the network.
If the domain name isn't valid but the username is, then the DC will attempt to authenticate as a named user in the domain. Since the local credential has a matched domain credential, the authentication will pass.
This behavior is determined by the DC, so it's the same with both IWA-Direct and BCAAA agent implementation. In each case, we just send the type 3 message to the DC and the DC is responsible for locating the user.
You can see the above behavior for yourself if you create a local user on one of your workstations that has the same username as a domain user. Log in to the workstation as that user and attempt to authenticate to the SG.
Please note the presence of the workstation name in the Type 3 message doesn't affect this behavior.