I have a few accounts that are locked down generic accounts used in a few areas at our company. These logins were requesting additional authentication from the Web Gateway (7.0) and I was pulling my hair out trying to figure out why. The issue turned out to be that these login accounts were set in AD to only logon to certain computers. Adding the computer account that the web gateway creates in AD when you join it to the domain solves the problem. I hope this helps someone else.
This is the same behavior as in 6.8.6. Any restriction on an account can create a probleme. You have to remember that the proxy is doing the auth, not the user.