Traffic from Windows 7 / Vista Clients Shows Workstation Instead of User in the Access Logs

Available Languages

Updated:October 13, 2014
Document ID:118418

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Question

Why does traffic from Windows 7 / Vista clients show workstation instead of user in the access logs?

Environment

Microsoft Windows 7, Microsoft Windows Vista, Cisco Web Security Appliance (all versions), Surrogate Type: IP address

Symptoms

Certain log lines in the access logs are showing the computers machine name, instead of DOMAIN\USER.

Microsoft introduced a new feature into Windows 7 and Windows Vista called "Network Connectivity Status Indicator"(NCSI), which shows up as a little globe icon that appears over the network interface icon in the system tray. Immediately after login, this feature will attempt to request data from the Internet in order to know if there is Internet connectivity.

There are known issues with NCSI, where it will send machine credentials instead of user credentials when NTLM authentication is required.

Since NCSI is most likely to send the first request from a PC to the WSA, no surrogate exists yet and a new IP-based surrogate with the machine name instead of the actual user name is created. This surrogate is used for every request from the initial IP address until the surrogate times out and the user has to re-authenticate, this time with real credentials.

Since the machine name is most probably not a member of the initially intended AD group all requests will not trigger the correct Access/Decryption Policy, sometimes resulting in the request being blocked.

For more information regarding NCSI, please see the following Microsoft KB article.

Please see the instructions below to workaround the issue:

  1. Launch the Registry Editor by searching for "regedit" from the task menu. You must right-click and select "Run as Administrator".

  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

  3. Under the Internet key, double-click "EnableActiveProbing", and then in Value data, type: 0.
  4.  Click "OK".

  5. Restart the computer.

These changes can be pushed to all clients as a Global Policy Object (GPO) using the Domain Controller.

Workaround on the WSA

Create an Identity for NCSI and exempt it from authentication based on the URL or its User Agent.

Known URLs to which NCSI Connects

ncsi.glbdns.microsoft.com
newncsi.glbdns.microsoft.com
www.msftncsi.com

NCSI User Agent

Microsoft NCSI

Revision History

Revision Publish Date Comments
1.0
13-Oct-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products