Forum Discussion
A sample deployment of Authentication Policies and Authentication Policy Silos in Active Directory!
Hello TomWechsler
I tried to reproduce those steps, and ended up with the same result as you - however, I do not understand why Tina is denied access to FS01.
We define a policy restricting access to FS01 to users and computers belonging to "fs01-silo" - and Tina belongs to this silo.
What did I miss ?
Regards,
- geakin
Microsoft
Here's what's missing, and it changes the entire premise of the conclusion- sorry TomWechsler;
We also need to enable the Kerberos client support for claims, compound authentication, and Kerberos armoring on clients.
The policy setting is under
Computer Configuration > Administrative Templates > System > Kerberos - "Kerberos client support for claims, compound authentication, and Kerberos armoring"
When this is applied and the client host is rebooted, the Auth Policy / Policy Silo setup works as expected; the specified user logs into host successfully, while any other user will receive the "protected by an authentication firewall" message- even if that user has group/explicit permissions to the local Remote Desktop Users group.
(credit to thesleepyadmins.com for pointing that out!) Alban1998 you are right, the purpose of the Authentication silo is to PERMIT login for the accounts into the computer specified into the silo itself (authentication policy condition).
What we have in this article is the demonstration that the Silo is NOT working as expected as Tina should be able to login into FS01 and nothing else (due to the condition applied)
