XG Firewall SFOS 18.0.4 MR-4

We are using the XG as Web Proxy for approx. 1000 users. Its setup to authenticate against AD Servers using Kerberos and NTLM

This works absolutely fine for the majority if users but we have roughly 75 users it fails on. They are all configured exactly the same and its not the device as other users can log onto that device and authenticate to the Proxy.

The proxy is non-transparent and is configured on each device as the FQDN

e.g You enter www.google.com and it re-directs to servername.ourdomain.internal:8091/ntlmauth.html and

Hmmm… can't reach this page

It looks like servername.ourdomain.internal closed the connection

The only fix currently is to remove the number of Groups a user is in (approx. 40-50 when it fails) which would suggest Kerberos Token bloat but from checking the affected users are around 9000 bytes and have no issues elsewhere. I've enabled Warning for large Kerberos tickets on the DC's and nothing is logged (Event ID 31)

We have checked all logs and nothing is reported for these failed sessions.

Sophos Support have been next to useless regarding this despite checking the config and pulling alll the logs.

Has anyone experienced this. Why can I not find any errors in the logs? Is there anywhere I can increase the Kerberos token size as currently that is the only fix I can see?