Why do authenticated users appear as machine names or 'Anonymous Logon' rather than proper user names?

Solution

Overview
In access logs, policy traces, and/or authenticated user lists, you see "NT AUTHORITY\ANONYMOUS LOGON" (or language variation) and machine names (names that end with a dollar sign $) instead of proper user names.

 

 

Cause
Resolution

In cases where the ProxySG appliance requests authentication before a user logs in to their workstation, Windows Server 2008 instructs the appliance to use either the workstation name (ending with $) or ’NT AUTHORITY\ANONYMOUS LOGON’ as the authentication surrogate.

With the help of the deny.unauthorized command you can define policy to negate these authentication surrogates and force a user to authenticate again with their next request. This condition was added in SGOS 5.5.

An additional condition added in SGOS 6.2.7.1, user.regex, permits you to create a rule to match requests where the username contains specific characters, in this case a dollar sign ($).

To resolve this issue, use a deny.unauthorized policy to negate the saved authentication credential and force the user to authenticate again.  This should be transparent to the user if using IWA-based authentication.

Add the following to the Local Policy or a Visual Policy Manager CPL layer (if available).

define condition IWA_SILENT_USERS
    user="NT AUTHORITY\anonymous logon"
    user="AUTORITE NT\anonymous logon"
    user.regex='.+\$$'
end condition

<Proxy>
    realm=<your-iwa-realm-name> condition=IWA_SILENT_USERS deny.unauthorized

 

Additionally, you may want to record which devices are attempting to log in silently. This can be done by writing these specific login attempts to a separate Access Log. This would require you creating a custom Access Log.

define condition IWA_SILENT_USERS
    user="NT AUTHORITY\anonymous logon"
    user="AUTORITE NT\anonymous logon"
    user.regex='.+\$$'
end condition

<Proxy>
    realm=<your-iwa-realm-name> condition=IWA_SILENT_USERS deny.unauthorized access_log[MySilentLog](yes)



In addition if previous CPL code fails you can apply the following CPL  (this code will log out already logged workstations).

define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
user="AUTORITE NT\anonymous logon"
user.regex='.+\$$'
end condition
<Proxy>
realm=<your-iwa-realm-name> condition=IWA_SILENT_USERS user.login.log_out(true)

 
 

 Notes

  • The user.regex condition is available in SGOS 6.2.7.1 and later. 
  • Refer to the user.regex and deny.unauthorized conditions in the Content Policy Language Guide for your version of SGOS (5.5 and later).
Workaround
Additional Information
Bug Number
InQuira Doc IdKB4815
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat