We have a vendor that requires Domain Admin access on the servers where their software is deployed. (Obviously we want to restrict them to only being able to login to the servers where their software is deployed.) In AD, we have used the "Log On To…" to restrict that user to those particular servers.
However, our VPN (Sonicwall NSA 2400) cannot authenticate the user when restricted servers are set. It returns: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1". According to this, the error is that the Sonicwall is not a permitted workstation. I have added the IP of the Sonicwall to the allowed workstations, but it has not removed the error. When I change the logon restriction to all workstations, the user is allowed to login to the VPN and the Sonicwall says login successful.
Is there a way I can get the Sonicwall to authenticate the user while still keeping the restricted login? I am open to alternatives to our method.
Best Answer
Sounds like the reason it can't authenticate is because that user can't authenticate against the DC as it's not one of the servers you've allowed access to.
If you allow the connection across the board as you've suggested and then limit the access for that user to only allow remote access to specific servers on the individual servers in question then he should be able to auth against the DC but not log into it.
Hope that made sense.