SSO AD User logout continuously

Hi Leon,

i have disable "Enable logoff detection" but now every time marked in "Dead entry timeout" the user logout

thanks

Emil

I am having a similar issue and know what is causing it but do not know how to fix it. 

 Scenario:

USER_A logs into COMPUTER_1 and is authenticated properly.

USER_A then remote desktops to COMPUTER_2 and logs in as USER_B. 

USER_B is now showing as the authenticated user for COMPUTER_1, even though it should still be USER_A because USER_A is still logged into COMPUTER_1.

20 minutes later, USER_A is disconnected and has no access to the internet on COMPUTER_1. 

Under the STAS exclusion list I've added USER_B as a login exclusion and the IP address of COMPUTER_2 as a login/logoff exclusion. 

This is extremely annoying, as I am constantly using Remote Desktop to connect to another machine with a different username than the username I am presently logged into on my local machine. 

Hi,

Any resolve about this issue?

Thanks.

I am having the same problem.  Its even more fun because this kills my SSL VPN session after 10 minutes and then every minute afterward.  I believe the STAS software is fundamentally broken when it comes to WMI queries for logoff information.  I followed this: https://community.sophos.com/kb/en-us/123020 

Every 10 minutes it tries to connect to the computers via WMI to verify and it fails and then terminates the user sessions.  However if I simultaneously run the WMI query in the article, it shows me the correct the username logged into the computer.  Interestingly enough it tries to connect to non-Windows computers who have no users in the "Live Users" table, and those obviously fail too. 

What would be the implication of just disabling all automatic logoff/session idle timers?  I would think that in theory, user A logs in and then logs off, the XG doesn't know about the logoff and still shows them as on, but if user B then comes and logs in to the same machine sometime later, wouldn't the STAS event update the Sophos box and say "User B is now logged in at IP blah blah?"  As far as I know, I believe this is how Meraki does it. 

All in all this is extremely frustrating. 

I have exectly the same problem - If I switch on Logoff detection, some users are randomly disconnectet. I have coped with this problem from the ancient times - CTAS + UTM.

We tried several configurations (one STAT, two STAS, different agents etc.) - simply- it will be much better if this simply works.

BTW: CAN we disable WMI pooling completely?

Even if we have "logoff detection" switched off, WMI/remote registry polling runs permanently.

Hi, all

I have the same issue where i see the user is connecting in the morning i see the authentication log on the AD Events, STAS and the Live Users. After a period of time the user is disconnected from the live users, if the user try to navigate he gets a block for no authentacation users around 2-3mins the user can navigate but not with the user name i autorize like irvinr i see in the live user the name of a computer "host".

I really don't know what is going on but this behaviur happen a lot. For the user dont call me a lot i put another rule for users allowing the opengroup for navigate.

It happen all day long.

Any issue similar or user with this behaviur?

Why Sophos dont put the same prefetch for collect all the users information from DC like UTM v9.4?

Best regard.

Hi Irvin,

I don't know if it's true, but I think it's a connection  with this Authentication behavior STAS / CTA

I have another situation with Windows 2008 R2 Domain Controller, and works well.

It seems to occur in environments where STAS are installed with Windows 2012 DC , but I need to test again.

If I restart STAS live users come back!

Gabriele

Hi, GabrieleD

I try everything to resolve this issue but keep happening. See the image.

Any one see this issue?

The STAS is getting the computer name and not the user name from domain controller. Is i search the user in the STAS Live User i see the user in the computer connected.

Any one know how to stop the automatically logout from the firewall cuz inactivity time. I dont have it active on STAS or Authentication > Services > NTLM.

Best regard.

thanks

Hi all, this is exectly our situation - We use only STAS  on DC servers (3) an now have one collector, that send users info to one XG firewall. When we switch on "logoff detection" in any possible way (Remote registry/WMI, dead hour in every combinations) then we see some users are logged out and then for 2-3 minutes put into "learning mode". This is unappropriate term for "to be cut off from LAN".

The same result was for CTAS (STAS version for UTM) and also for more than one STAS collector.

Now I am in resignated state and don´t believe that somebody in Sophos can solve it.

How about here, do you have Enable User Inactivity enabled or disabled?