Why does traffic from Windows 7 / Vista clients show workstation instead of user in the access logs?
Microsoft Windows 7, Microsoft Windows Vista, Cisco Web Security Appliance (all versions), Surrogate Type: IP address
Certain log lines in the access logs are showing the computers machine name, instead of DOMAIN\USER.
Microsoft introduced a new feature into Windows 7 and Windows Vista called "Network Connectivity Status Indicator"(NCSI), which shows up as a little globe icon that appears over the network interface icon in the system tray. Immediately after login, this feature will attempt to request data from the Internet in order to know if there is Internet connectivity.
There are known issues with NCSI, where it will send machine credentials instead of user credentials when NTLM authentication is required.
Since NCSI is most likely to send the first request from a PC to the WSA, no surrogate exists yet and a new IP-based surrogate with the machine name instead of the actual user name is created. This surrogate is used for every request from the initial IP address until the surrogate times out and the user has to re-authenticate, this time with real credentials.
Since the machine name is most probably not a member of the initially intended AD group all requests will not trigger the correct Access/Decryption Policy, sometimes resulting in the request being blocked.