Active Directory: authentication policy


Windows Server 2016 Windows Server 2019 Windows Server 2022

Presentation of authentication policies

With Windows Server 2012R2 and the new ADAC (Active Directory Administration Center) administration console, Microsoft has added authentication policies that provide an additional layer of security.

In the summary of authentication policies will allow or not to allow a user logs on to a desktop or server, or vice versa control who can log on to a computer.

They also make it possible to force the use of a more secure protocol for authentication.

In this tutorial, we will discuss the first point, configure policies to allow connection to a defined user on a computer and a second strategy that prohibits the connection of a user on a defined workstation.

Prerequisites for using authentication policies

  • Have a minimum Windows 2012R2 domain controller.

Policies that limit user connections to computers require the implementation of a group policy that activates the claims of the Kerberos client.

For this it is necessary to configure the following parameters:

  • Computer Configuration / Policies / Administrative Templates / System / KDC / Kerberos Domain Controller Support for Claims, Compound Authentication and Kerberos Shielding: Enabled with the Support option.
  • Computer Configuration / Policies / Administrative Templates / System / Kerberos / Kerberos Client Support for Claims, Compound Authentication and Keberos Shielding: Enabled.
GPO : kerberos claims

Management of authentication policies

The management and administration of authentication policies is done using the Active Directory Administratrive Center console (ADAC).

From a domain controller, launch the console.

Active Directory Administratrive Center (ADAC)

Once the console is loaded, using the navigation menu on the left, click on Authentication 1.

ADAC

In the Authentication container, click on Authentication Policies 1.

ADAC - Authentification

In this container, we find the list of strategies which is empty for the moment. It is also from this location that we can create new strategies.

Now that we have seen where we manage the strategies, we will see how to create them.

Authentication strategy: limit the connection on computer / server to a specific user

In this part of the tutorial, we will create a strategy, which will allow the connection on a computer to a user that we will define.

This type of policy can be implemented for VIP computers to prevent other people from logging on or for sensitive servers to limit connections on it.

In the following example, we will configure a user account, we can also use an Active Directory group.

To illustrate the example, the LAB-CLT-1 computer is dedicated to the human resources director who uses the Active Directory account (Director HR). Once the strategy has been created, we will try to open a session with the User1 HR account.

From the ADAC console on the Authentication Policies container, click on New 1 then on Authentication policy 2.

New policy

In the General section, enter the name of the strategy 1, a description if necessary 2 then click on the Add 3 button in the Accounts section.

It is possible to configure a strategy in Audit mode, by selecting this option no blocking would be carried out.

Select the computer account 1, once it has been added, go to the Computer 2 section.

We must now configure, which can connect to the computer, by default we can see that All the resources are configured., Click on the Modify button 1.

Click on Add a condition 1.

In the condition line, click on Add elements 1.

Select the user 1 and click on OK 2.

Select user allow to login on computer

Click OK 1 to save the condition and close the window.

Save condition

In the definition of the conditions, we see the user 1, click on OK 2 to save the strategy 2.

Configured policy

In the ADAC console, we find the authentication strategy that has just been created.

If a user wants to log on to the computer, here is the error message: The computer to which you are connected is protected by an authentication firewall. The specified account is not authorized to authenticate on the computer.

The computer you are connected to is protected by an authentication firewall. The specified account is not authorized to authenticate on the computer.

Authentication policy: limit a user’s connection to a computer

In this part, we will see how to set up an authentication strategy, which limits the connection of a user to a group of defined computers.

To illustrate this tutorial, the student IT user will be allowed to connect only on computers belonging to the Grp_Computers_Service_IT group.

On the ADAC console, create a new policy, New 1 / Authentication policy 2.

New policy

Name the strategy 1 then indicate a description 2 and click on the Add button 3

Config policy

Select the Active Directory object (s) to which the authentication policy will be applied 1 then click OK 2.

Select AD Users

With the user account added 1 to the authentication policy, go to the User authentication section 2 and click on Modify 3 in terms of conditions.

Click on Add a condition 1.

Click the Add elements 1 button.

Select the Active Directory group 1 which contains the computers where the user is authorized to connect by the authentication policy then click on OK 2.

authentication policy, select the AD group / Stratégie d'authentification, sélectionner le groupe AD

Once the condition has been configured, click on OK 1 to return to the authentication policy.

The group was added 1 in the conditions of the User authentication section. Click OK 2 to save the authentication policy.

The policy is available in the Active Directory Administration Center.

List of authentication policies / Liste des stratégies d'authentification

If the Student IT user tries to log on to a computer that is not part of the configure group in the authentication policy, the error message appears: Your account is configured so that you cannot use this PC. Try another PC.

Enable logging

It is possible to access the log so on the domain controllers, it is necessary to activate the log. The manipulation is to be done on each DC.

From the event viewer, right click on AuthentificationPolicyFailures-DomainController and click on Activate log. This can be found in Application and Service Logs / Microsoft / Windows / Authentication.

Enable Log

Here is the record that was generated when the Student IT user tried to log on to a computer that is not the group configured in the authentication policy.

Complements




Leave a Comment