Cisco Cisco Web Security Appliance S670 Fehlerbehebungsanleitung

Oct 13, 2014

Why are computer machine names or NULL usernames logged in accesslogs?

• 

How do you identify the requests using workstation or NULL credentials for later authentication
exemption?

• 

Cisco Web Security Appliance (WSA) − all versions

• 

Authentication Scheme NTLMSSP with IP Surrogates

• 

Windows Vista and newer desktop and mobile Microsoft Operation Systems

• 

The WSA blocks requests from some users or behaves unexpectedly.
The accesslogs shows computer machine names or NULL username and domain instead of userIDs.

The issue resolves itself after:

Surrogates time out (default value for Surrogate Timeout is 60 minutes)

• 

Restarting proxy process (CLI command > diagnostic > proxy > kick)

• 

Flushing authentication cache (CLI command > authcache > flushall)

• 

In recent versions of Microsoft Operating System, it is not required that an actual user is logged in anymore
for applications to send requests to the Internet anymore. When those requests are received by the WSA and
are requested to authenticate, no user credentials are available to use for authentication by the client
workstation which instead may take the computer's machine name for a substitute.

The WSA will take the provided machine name and forward it to the Active Directory (AD) which validates
it.

With a valid authentication, the WSA creates an IP Surrogate binding the machine's workstation name to the
workstation's IP address. Further requests coming from the same IP will use the surrogate and thus