WinGate can only discover user credentials when there is an authentication policy or access rule in place that forces the user to authenticate. The easiest way to do this is with a web access rule that applies to all users except the authenticated users group, with the result set to "force client to (re)authenticate". We have a video on setting that up here: https://www.youtube.com/watch?v=OTZYImHBmJY&t=9s