The reason why your domain users get prompted by authentication is because all of your traffic goes to your Local database authentication rule.
When a DOMAIN user accesses a webpage, its traffic will go first in the Authentication: User Database rule.
With this, all of your proxy users will get prompted with authentication and STOPS there if no valid credentials were entered.
It will not fall down to your AD authentication since the action "Authenticate" blocks their request from that point onward.
A good way to perform multiple auth is bgartama's solution where a "Continue" action is used for each auth rule and a blocking rule at the bottom of your authentication ruleset.
The rules within must not be interchanged or else the desired result wont be accomplished.
To discuss further this ruleset,
First rule is the 'AD authentication rule', 2nd is the 'Database auth rule' with an auth property equals false, and the last is 'block unauthorized users'.
Reason why AD rule goes first is to avoid the domain users to get prompted by the web gateway for authentication which happens if the database auth is configured first.
Valid domain users will not trigger the database rule nor the third rule. Reason is that they have already been authorized by the MWG thru AD, thus the property 'Authentication.IsAuthenticated equals false' is not met.
Your local users will also go to the AD authentication but will fall down to the next rule as they are not part of your domain.
If valid credentials were given, MWG will then give an authorization to these users.
Now, if the user is not member of the domain, and if wrong credentials were given, MWG will then block the requests with the last rule, "Perform Authentication". The action "Authenticate" will block these requests as the property "Authentication.IsAuthenticated equals false" is fired.
Sorry for responding late about my results for this, today I followed your screen shot and now attaching here my screen shot for understanding:
I tested with AD user it went through from the first rule, then I tested with user name created in local database of gateway, it went through the second rule, and lastly when entering wrong credentials the requested is stopped by last rule where property 'authentication.IsAuthenticated equals false kicks in'
Now the only difference I see between your screen shot and mine is that the 'Responses' and 'Embedded Objects' is selected in your image but in my settings, they are grayed out, I can not enable them, I don't know why , Can you assist if this is needed and how to enable it.
waiting for your response.
No need to worry about that because what's configured in yours is more appropriate.
bgartma's ruleset could have been a ruleset he immediately created for your eyes only or he could have a different proxy setup.
We only need to apply the rule to "Request" cycles as the proxy server only needs to ask and check for authentication when you request for a website and not when the web servers respond to your request.
Appreciate your quick response on this.