In access logs, policy traces, or authenticated user lists, you see "NT AUTHORITY\ANONYMOUS LOGON" (or language variation) and machine names (names that end with a dollar sign $) instead of usernames.
In cases where the ProxySG or Advanced Secure Gateway (ASG) appliance requests authentication before a user logs in to their workstation, Windows Server instructs the appliance to use either the workstation name (ending with $) or 'NT AUTHORITY\ANONYMOUS LOGON' as the authentication surrogate.
We can use the following Content Policy Language (CPL) code to log out the Workstation Machine name and have the User authenticate again (Recommended CPL).
NOTE: Where the IWA realm name, as exactly seen in configuration, is entered in place of the Highlighted section in red. The above CPL will only work for a single realm if you have multiple realm you can use the below CPL instead.
If you're using Windows SSO the above CPL will have no affect as we're retrieving the user credentials VIA the BCAAA agent which in turn (depending on configuration) will be querying the Windows Domain Controller directly. To replicate this change for a Windows SSO environment we will need to login to the appropriate BCAAA Windows server. Once logged into the Windows server follow the below steps to make the appropriate changes:
Browse to the BCAAA installation directory (default %programfiles(x86)%\Blue Coat Systems\BCAAA\)
Open the sso.ini file in a text editor
Search for the line containing NetShowServices
Directly below this line add the following text NT AUTHORITY\anonymous logon (See IMG1.1 for reference)
Save the changes and close the file
Restart the BCAAA service (WinKey + R > services.msc > Right-click BCAAA > Restart)
Imported Document ID: 000016206
Subscribing will provide email updates when this Article is updated. Login is required.