Web filtering not picking up user

Is this a Server Protection Client? So there is Intercept X for server installed? Check if this server is in the Best Protection EAP. 

Have installed v19 and then followed this article https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigurePerConnectionAuth/index.html#create-firewall-rules-for-multi-user-host-traffic

I've attached web policy under the firewall rule - copy of the web policy below - but Auto-IT Admins are still blocked

Essentially you need to get AD SSO running and the Standard/Direct Proxy has to be enabled. 

I've done a bit of troubleshooting and it looks like since upgrading to v19 it's not automatically creating users from AD in the Sophos - it was before I upgraded.

Just to confirm;

Group policy auditing changed to enable successful logins

AD server added to Sophos - test connection works fine

AD server listed as the only authentication server in services / firewall auth methods

What am I missing?

Users essentially are not needed in the Firewall. But those users should be created by a successful authentication. 

Ok. But web filtering rules are not working on a per user basis using that config. It’s not recognising who is logged in to the terminal server.

So you are not seeing the user in Live Logging? 

Correct. No username is attached to anything.

I thought that was live logging. Where do I need to go to see live logging?

You need to look for current activities and live users. 

You need to look for current activities and live users. 

I disconnected all users from Sophos live users and also from the terminal server.

I logged in the to the server as "User1" and browsed the web but User2 popped up in the live users section on the sophos for that server.

Client type is STAS

Any ideas on this LuCar?

STAS? If you have a terminal server, STAS should exclude this terminal server. Essentially the best way is always to have one mechanism per client. So exclude in STAS your terminal servers. 

Excluded terminal server from STAS but still not picking up logged in user

Do you see any AD SSO authentication requests in authentication log? 

I can't see anything at all in the authentication log - it just sits there with the wheel spinning forever and nothing loads

So likely there is no entry? Could the NASM be dead in your scenario? You should check access_server.log and nasm.log if you see any problems there. 

Don't really know what I'm looking at, but here they are

nasm.log:

SFV1C4_AZ01_SFOS 19.0.0 GA-Build317# tail nasm.log                              
Jun 04 13:57:47.107957Z  [ntlmserver]  fasm_processor(): AD channel is UP so inf
orming client now                                                               
Jun 04 13:57:47.107994Z  [ntlmserver]  inform_channel_status(): sumit DATA to pr
oxy='0 0 0 0 0 0 0 0 5 8 0 0 '                                                  
Jun 04 13:57:47.108000Z  [ntlmserver]  inform_channel_status(): informing channe
l status to http proxy, channel status=1                                        
Jun 04 13:57:47.108003Z  [ntlmserver]  fasm_processor(): AD channel is UP so inf
orming client now                                                               
Jun 04 13:57:47.108438Z  [ntlmserver]  inform_channel_status(): sumit DATA to pr
oxy='0 0 0 0 0 0 0 0 5 8 0 0 '                                                  
Jun 04 13:57:47.108450Z  [ntlmserver]  inform_channel_status(): informing channe
l status to http proxy, channel status=1                                        
Jun 04 13:57:47.108454Z  [ntlmserver]  fasm_processor(): AD channel is UP so inf
orming client now                                                               
Jun 04 13:57:47.108488Z  [ntlmserver]  inform_channel_status(): sumit DATA to pr
oxy='0 0 0 0 0 0 0 0 5 8 0 0 '                                                  
Jun 04 13:57:47.108494Z  [ntlmserver]  inform_channel_status(): informing channe
l status to http proxy, channel status=1                                        
Jun 04 13:57:47.108501Z  [ntlmserver]  fasm_processor(): domain informed by nasm
 is 'xxxx'                                          

access_server.log

SFV1C4_AZ01_SFOS 19.0.0 GA-Build317# tail access_server.log                     
MESSAGE   Jun 05 10:09:51.572706Z [CAA]: (CA_keep_alive): Next CA batch in 45 se
conds                                                                           
MESSAGE   Jun 05 10:10:03.115783Z [access_server]: tlvserver_process_request: GO
T ALERT.EXECUTE_HEARTBEAT                                                       
MESSAGE   Jun 05 10:10:36.616862Z [CAA]: (CA_keep_alive): access_server heartbea
t                                                                               
MESSAGE   Jun 05 10:10:36.616883Z [CAA]: (CA_keep_alive): Next CA batch in 45 se
conds                                                                           
MESSAGE   Jun 05 10:11:03.396166Z [access_server]: tlvserver_process_request: GO
T ALERT.EXECUTE_HEARTBEAT                                                       
MESSAGE   Jun 05 10:11:21.660407Z [CAA]: (CA_keep_alive): access_server heartbea
t                                                                               
MESSAGE   Jun 05 10:11:21.660441Z [CAA]: (CA_keep_alive): Next CA batch in 45 se
conds                                                                           
MESSAGE   Jun 05 10:12:03.611785Z [access_server]: tlvserver_process_request: GO
T ALERT.EXECUTE_HEARTBEAT                                                       
MESSAGE   Jun 05 10:12:06.704338Z [CAA]: (CA_keep_alive): access_server heartbea
t                                                                               
MESSAGE   Jun 05 10:12:06.704360Z [CAA]: (CA_keep_alive): Next CA batch in 45 se
conds                                                                 

Check the nasm log for anything, which looks like an error. Basically the nasm should be joining. 

Potentially this could be an error: https://community.sophos.com/sophos-xg-firewall/sfos-v18-early-access-program/f/feedback-and-issues/117669/adsso-ntlm-bug-in-v18-eap3/426421

Have run these commands but authentication log still not loading

service -ds nosync nasm:stop
rm -rf /content/nasm
service -ds nosync nasm:start