There can be many reasons why valid users are logged as "guest" on the ProxySG, such as being caused by a misconfiguration or a client that doesn't support authentication in the manner presented by the proxy. However, this article points out a specific configuration setting that may cause unexpected logging and access.
The "invalid_surrogate" error, when selected in a Permit Authentication Errors action in policy, can automatically cause the ProxySG to log a valid user as "guest" after the surrogate (cookie, IP, or connection) from a previous authentication has expired.
For example, consider the following conditions to understand how this situation can occur:
"Guest Authentication" is configured on the ProxySG
User opens a browser to access the internet through the proxy
Proxy successfully uses NTLM to authenticate the user and logs him with his domain username of bob.kent
Proxy caches the cookie it used as the authentication surrogate for the configured "Refresh Time" of 15 mins
Proxy allows the user to access the internet but after 15 mins, the authentication cookie that the browser continues to present is expired
Proxy logs the user as "Guest" since the "invalid_surrogate" error is permitted by policy and subsequently the user is limited to the guest access level
Ultimately, this behavior is likely to be unexpected and can be considered a problem for user experience. To avoid this, the "invalid_surrogate" error needs to be deselected from the Permit Authentication Errors action in policy.
See 000008712 for steps on configuring "guest authentication". When configuring the Permit Authentication Errors action, do the following to deselect only "invalid_surrogate" so that all other errors required for guest authentication will be permitted.
Click the "Selected errors" radio button
Select "All errors" from the "Show:" drop-down menu
Select "All Except User Credential Required"
Expand the "All Except User Credentials Required" list
Expand the "Invalid User Information" list
Deselect the "invalid_surrogate" error check box (see visual example below)
Imported Document ID: 000017012
Subscribing will provide email updates when this Article is updated. Login is required.