I do not believe that this is a matter of authentication. The problem is located at the website and the services they embedd. This is what I observed. The website embedds content from "realtime.co" which uses web sockets to push messages to the client. Basically there is nothing wrong with this, but it seems that the client part (running on the users PC when accessing the web site) is not fully proxy aware. Instead of sending a proxy-style request which looks like this:
it sends a server-style request to MWG, which looks like this:
There is basically nothing wrong with this, but with authentication this behaviour becomes an issue. Usually when a proxy is configured in the browser MWG answers with 407 messages to tell the browser to authenticate (Proxy-Authenticate). This works fine. But when the client sends the server-style requests MWG now cannot answer with a 407 (because thie request is not a proxy request), but has to answer with a 401 (web server authentication) to the browser, asking for authentication.
Because the browser has a proxy configured it only expects 407 messages to respond to with the credentials you have given. Once it receives the 401 the browser assumes the web site requires authentication, and shows a popup window.
I cannot see any workaround except allowing the request to initialize the web socket without authentication. I have created a rule that allows this specific request (everything else is filtered as before):
As you can see I check the Host and Path of the URL, and if it matches to the web socket initialization I skip authentication. You may have to create a similar rule and place it somewhere into your policy where it skips all authentication rules.
This should allow the web site to run fine.
without any data it is hard to make further assumptions, but I believe that maybe the rule is not correctly in place. If it is placed correctly MWG would not send a 401 to the browser and it would not show a popup window. Can you share some more information about your rules and explain where you added the rule?