STAS and User logging not working as expected

Hello Alex Harding1 ,

Thank you for reaching out to the community, we can see the users authenticated under the STAS live user list are authenticated with the logon type 3.
Meaning when the Agent is running on a Member Server and NOT on the Domain Controller (DC), then the Logon Type is 3 instead of 2. This Logon Type 3 came with STAS v2.5 and above. Is the following rule created is on the top of all the FW rules ? Can you share the diagnostics > packet capture, when you have set it to "ANY" and when you have kept it "Domain User?" 

Sure, I will give it a go.
Any filters in particular that I need to set?

Yes User based rule is above the  non user based rule.
These are the only two LAN to WAN rules I have. 

Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
You can use the src client IP as the host to filter out the traffic flow ! !

Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
You can use the src client IP as the host to filter out the traffic flow ! !

Set to domain users

Ethernet header
Source MAC address:74:8*******
Destination MAC address: 7c:5*******
Ethernet type IPv4 (0x800)

IPv4 Header
Source IP address:10.2******
Destination IP address:91.1******
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 40 Bytes
Identification:38899
Fragment offset:16384
Time to live: 128
Checksum: 64579

TCP Header:
Source port: 57568
Destination port: 443
Flags: ACK
Sequence number: 249620782
Acknowledgement number: 1008359775
Window: 1026
Checksum: 54549

Set to ANY

Ethernet header
Source MAC address:74:8*******
Destination MAC address: 7c:5*******
Ethernet type IPv4 (0x800)

IPv4 Header
Source IP address:10.2*****
Destination IP address:91.1*****
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 40 Bytes
Identification:39059
Fragment offset:16384
Time to live: 128
Checksum: 64419

TCP Header:
Source port: 57568
Destination port: 443
Flags: ACK
Sequence number: 249620782
Acknowledgement number: 1008940507
Window: 1026
Checksum: 63632

No, just share the screenshot of the GUI packet capture, do you any traffic going in and out from the interface and which FW rule id or NAT id it detects ? 

Interestingly the Rule IDs show as 0 for both

Any

Domain users

However, they should be hitting FW Rule 15/16.

The AD server and the local users are both in the same zone right ?
And all the domain users are present under the group Doman users, right ?
if authentication zone LAN is in the picture, can you ensure the option "client authentication" is enabled under the administration > device access  

Here is also the best practice guide you may want to refer - Sophos Firewall: Best practice for STAS

Hi,

Yep the server and users are in the same Zone.
Yep users are part of the domain users group

and yep, Client Auth is enabled for LAN under Device Access

I have had a quick look at that guide and I have done all that is listed.
Strange one, will continue to have a play.

I have reached out to Support as everything is the same as that guide.

Cheers