Forum Discussion

TomWechsler's avatar
TomWechsler
MVP
Jun 17, 2022

A sample deployment of Authentication Policies and Authentication Policy Silos in Active Directory!

  Dear Microsoft and Active Directory Friends,   The Active Directory is an important element in an IT infrastructure. With the intensive use, constant expansion, it can happen with time that t...
Active Directory
management
windows server
Alban1998's avatar
Alban1998
Iron Contributor
Nov 02, 2022

Hello TomWechsler

 

I tried to reproduce those steps, and ended up with the same result as you - however, I do not understand why Tina is denied access to FS01.

We define a policy restricting access to FS01 to users and computers belonging to "fs01-silo" - and Tina belongs to this silo.

What did I miss ?

 

Regards,

 

geakin's avatar
geakin
Icon for Microsoft rankMicrosoft
Sep 18, 2024

Here's what's missing, and it changes the entire premise of the conclusion- sorry TomWechsler;
We also need to enable the Kerberos client support for claims, compound authentication, and Kerberos armoring on clients.

The policy setting is under

Computer Configuration > Administrative Templates > System > Kerberos - "Kerberos client support for claims, compound authentication, and Kerberos armoring"

When this is applied and the client host is rebooted, the Auth Policy / Policy Silo setup works as expected; the specified user logs into host successfully, while any other user will receive the "protected by an authentication firewall" message- even if that user has group/explicit permissions to the local Remote Desktop Users group.

(credit to thesleepyadmins.com for pointing that out!)

Resources