Authentication Policy Help Needed

  • Last Post 31 December 2018
cjdavis posted this 27 December 2018

Related to my previous email (Runas /netonly Issue) I’m trying to set up an Authentication Policy that will restrict privileged accounts to domain controllers and specific workstations, but after days of reviewing documentation and following step-by-step how-tos I’m no closer to a working solution than I am when I started.   TL:DR:  Tried every how-to on Authentication Policy/Authentication Policy Silo setup for domain controllers and privileged accounts, still seeing Event 305/306 when logging in with said account.  Found documentation is multiple variations of the same information and not helpful.   EXHAUSTIVE DETAILS: Here’s what I’ve done so far :

  1. Using the instructions here ( and here (
    1. Enabled the Authentication event logs on the domain controllers
    2. Enabled KDC support for claims… policy setting on the domain controllers
    3. Created an authentication policy in audit mode.
    4. Added the Domain Controllers group (from both domains) and the management server to the User section of the policy (Member of any (Domain Controllers {ROOTDOMAIN\Domain Controllers), Domain Controllers (DOMAIN\Domain Controllers), MEMBERSERVER (DOMAIN\MEMBERSERVER$)})
    5. Added a privileged account to the Accounts section of the policy
    6. Configured the policy in the Authentication Policy section of the same privileged account.
    7. After logging into the management server via RDP and seeing errors in the Authentication logs on the DCs, enabled the Kerberos client support for claims…
  2. After logging into the management server via RDP from our bastion and still seeing errors in the Authentication logs (and seeing errors after clearing the Kerberos ticket cache on the domain controllers and member server) I removed the privileged account and domain controller groups from the authentication policy and tried creating a silo:
    1. Created the authentication policy silo.
    2. Added each of the domain controller computer objects from both the ROOTDOMAIN and DOMAIN and the MEMBERSERVER management server to the silo in the Permitted Accounts.
    3. Added the privileged account to the silo
    4. Changed the authentication policy so that the User condition specified the Authentication Silo ((User.AuthenticationSilo Equals "Name of Authentication Policy")
    5. Selected the authentication policy silo option Use a single policy for principals… option and selected the “Name of Authentication Policy” policy.
    6. Opened the properties of each computer and user account and assigned the authentication policy silo to it.
    7. Cleared the Kerberos ticket cache on all domain controllers and the member server
  3. After logging on the management server via RDP from our bastion and still seeing errors in the Authentication logs, I eliminated the bastion (which is in an untrusted forest) from the equation.
    1. Joined a workstation to the forest after configuring the Kerberos client support for claims…
    2. Added the workstation to the silo in Permitted accounts and configured the workstation’s computer account with the silo.
    3. Rebooted all servers and workstation in the silo.

  I’m still seeing the errors that say that “A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because the user, device, or both does not meet the access control restrictions” with different values for the User, Device and Service fields.  There’s next to nothing in the TechNet forums and  I’ve tried reconfiguring based on what is there with zero results.   On top of the above, I’m seeing Event 306 for computer and servers accounts I haven’t added to the silo on purpose.  Which makes me wonder:  Do ALL computer/service accounts have to be added to the silo if the domain controllers are in the silo?  If so, it defeats the purpose.  

cjdavis posted this 31 December 2018

Anyone other than Ken have successful experiences with setting up Authentication Policies and/or Authentication Policy Silos?