sophos xg home to AD password/group synchronization

Question

Hi, 
 I have Sophos home deployed in our network, with AD groups synced-in from AD server for user-based internet access. 
 For a month or so now, when any users changes their domain user password, SSO (single sign on) does not work for them and they have to sign into the Sophos web portal once on with the new domain password (i guess to get the new domain password sync into Sophos) before internet starts working for them. They dont need to login to web portal again until they change the password again (may be months later). 
 Is there some setting that i can do to make SSO work after domain password change (followed by a reboot)?

Mayur Makvana · Answer

Hello Moeed Aziz , 
 Thank you for reaching to the Sophos Community! 
 There is no specific settings required on Sophos to work. As the firewall will act as accounting server only and will send the authorization request to the AD server. 
 1. Collect the log viewer snapshot of the authentication error received while they failed to login. 
 2. Add Authentication service in debug from advance shell using below: 
 service access_server:debug -ds nosync (Use the same command to disable the debug once the logs are collected) 
 3. Once the service in debug, use the below command to review the authentication logs: 
 cd /log 
 tail -f access_server.log 
 4. Try login with the user whose password changed. 
 5. Simultaneously review the security event on your AD server for the user. 
 You may paste the access_server logs and snapshot of the failed login to review it further.