Solutions

Why do authenticated users display with machine names or 'Anonymous Logon' rather than with proper user names?

Solutions ID:    KB4815
Version:    6.0
Status:    Published
Published date:    12/13/2011
Updated:    02/27/2013
 

Problem Description

In access logs, policy traces, and/or authenticated user lists, you see "NT AUTHORITY\ANONYMOUS LOGON" (or language variation) and machine names (names that end with a dollar sign $) instead of proper user names.

 

Resolution

In cases where the ProxySG requests authentication before a user logs in to their workstation, Windows Server 2008 will instruct the ProxySG to use either the workstation name (ending with $) or ’NT AUTHORITY\ANONYMOUS LOGON’ as the authentication surrogate.

With the help of the deny.unauthorized command you can define policy to negate these authentication surrogates and force a user to authenticate again with their next request. This condition was added in SGOS 5.5.

An additional condition added in SGOS 6.2.7.1, user.regex, permits you to create a rule to match requests where the username contains specific characters, in this case a dollar sign ($).

To resolve this issue, use a deny.unauthorized policy to negate the saved authentication credential and force the user to authenticate again.  This should be transparent to the user if using IWA-based authentication.

Add the following to the Local Policy or a Visual Policy Manager CPL layer (if available).

define condition IWA_SILENT_USERS
    user="NT AUTHORITY\anonymous logon"
    user="AUTORITE NT\anonymous logon"
    user.regex='.+\$$'
end condition

<Proxy>
    realm=<your-iwa-realm-name> condition=IWA_SILENT_USERS deny.unauthorized

 

Additionally, you may want to record which devices are attempting to login silently. This can be done by writing these specific login attempts to a separate Access Log. This would require you creating a custom Access Log.

define condition IWA_SILENT_USERS
    user="NT AUTHORITY\anonymous logon"
    user="AUTORITE NT\anonymous logon"
    user.regex='.+\$$'
end condition

<Proxy>
    realm=<your-iwa-realm-name> condition=IWA_SILENT_USERS deny.unauthorized access_log[MySilentLog](yes)

 Notes:

  • The user.regex condition above is available in SGOS 6.2.7.1 and above. 
  • Both user.regex and deny.unauthorized conditions can be found in the SGOS Content Policy Language Guide for your preferred version of SGOS from 5.5 and above.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question