Why are unauthorized users being authenticated as DOMAIN\guest with IWA?

Solution

Overview

This happens because the Guest account is enabled in Active Directory without a password. If you do not want to allow non-domain users to be authenticated as DOMAIN\guest, you should disable the Guest account in Active Directory if it is not required. If the Guest account is necessary, you should configure a policy to control access for the DOMAIN\guest user on the ProxySG. Here is a sample CPL policy that can be added to the local policy file that denies the Guest account Internet access.  For further information on how to add CPL to the local policy file, please see 000010101

; BEGIN Deny AD Guest access
<Proxy>
     realm=IWA user="DOMAIN\guest" deny
; END Deny AD Guest access

 

If you are troubleshooting the issue, here are a sample ProxySG policy trace and BCAAA debug log.

ProxySG Policy Trace:

start transaction -------------------
  CPL Evaluation Trace: transaction ID=23400
           <Proxy>
    MATCH:     authenticate(iwa) authenticate.force(no) authenticate.mode(auto)
  connection: service.name=HTTP client.address=10.105.1.65 proxy.port=8080
  time: 2010-07-01 09:40:30 UTC
  GET
http://www.bluecoat.com/
Referer:
http://www.bluecoat.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
  user: name="KLDEV\guest" realm=IWA
    url.category: Search Engines/Portals@Blue Coat
  DSCP client outbound: 65
  DSCP server outbound: 65
stop transaction --------------------
 

BCAAA Debug:

2010/07/01 09:42:50.093 [3644] NTLM authentication
2010/07/01 09:42:50.093 [3644] hContext=0x805698:616ce800150690
2010/07/01 09:42:50.093 [3644] Convert_to_netbios
2010/07/01 09:42:50.093 [3644] Calling convert_name 0 3
2010/07/01 09:42:50.093 [3644] convert_name "KLDEV\Guest"  3 3
2010/07/01 09:42:50.093 [3644] Converted KLDEV\Guest to KLDEV\Guest (0)
2010/07/01 09:42:50.093 [3644] Allocated name: result=0x00000000,  name=0x1593CC 'KLDEV\Guest'
2010/07/01 09:42:50.093 [3644] Unicode user name (hex) is: 4b 4c 44 45 56 5c 67 75 65 73 74
2010/07/01 09:42:50.093 [3644] UTF-8 user name (hex) is:KLDEV\guest (KLDEV\guest)
2010/07/01 09:42:50.093 [3644] CtxLink=0x805690 _hCtx=616CE800150690 TS=1277977370 time=1277977370
2010/07/01 09:42:50.093 [3644] RESP2: ctxKey=0x0 ts=0 result=0x40064
2010/07/01 09:42:50.093 [3644] RESP:_PayLoadType=5 _PayLoadLen=284 outBufLen=0 AuthCtxBufLen=0
2010/07/01 09:42:50.093 [3644] Finished processing request
2010/07/01 09:42:50.093 [3644] Dump self response
2010/07/01 09:42:50.093 [3644] 29 Ver 0x82(130) Authenticate response (284 bytes)
2010/07/01 09:42:50.093 [3644] Finished Dump self response
2010/07/01 09:42:50.093 [3644] sending
header@0x00F39A4C: ver=130 (0x82), type=5, id=0x2f628010, seq=29, len=284 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ879
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat