When using Test Authentication Agent Settings, Check User feature returned user as a service username instead of proper LDAP logged in user, even if LDAP user is logged on and using that workstation at the same moment.
When CFS Policies are applied, they will be applied to the user obtained via NetAPI/WMI which could be the service username.
The above condition is being triggered if the PC launches any update services that might have been installed by f.e. A/V software like Sophos or NVidia drivers update process on their own username causing the PC/Terminal server to appear to have multiple users logged in simultaneously.
To verify this is the case, run a SSO test against the problematic machine's IP like in the screenshot below:
Please also check the Computer management | Users snap-in on the impacted Windows machine, it should reflect something similar to screenshot below:
This condition can be resolved by adding the returned service username (in this example UpdatusUser) under SSO user settings to bypass the returned query and resolve the actual user.
This sometimes needs to be repeated if the returned username is still not the LDAP user, as some machines might have multiple update services installed.