Hello, We in the middle of integrating our on premise AD to our SOPHOS firewall. We had to download the SOPHOS firewall plugin to connect to AD and server information. Apparently the app reads certain particular events that tell it if a users has logged in or logged out of his or her computer system and based on that consider the user active and therefore starts logging and allowing that AD user access to the internet.
Currently this is not working and the cause per SOPHOS Senior engineer is when the user signs in the event viewer we see ID 4624 pop up but right after we get an event 4634 stating a logoff and the following message...
"This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer"
SOPHOS Engineer specifically said event ID 4634 is causing this issue.
It makes sense that 4634 may be causing issues since it says the user is logged off when in fact they just logged in but is that event ID 4634 a normal event across all servers or an issue I must fix?
-Currently only 1 domain controller
-Windows Server 2016
-About 60 Users