Share via

Authentication silos - User won't get claims

Kevin K 1 Reputation point
2020-07-22T04:59:59.85+00:00

Hey,

i am trying to setup authentication silos. I followed the setup instructions as writtin in technet. In my test environment it is working like a charm. When i log on on the machine with my user account which are both members of the silo i get a user claim ( cmd -> whoami /claims ).

Am i doing it exact this way in my production environment i am not allowed to log on any machine even the ones which are in the silo. After some digging i found out that my user doesn't get a claim since the output of "whoami /claims" gets me a "there are no claims available"

Our prod environment is based on 2016/2019 DCs. forest and domain level is 2016. member servers which i am tested it on are 2012 to 2019. all systems are up to date. all relevant gpo settings for member servers and the DCs are configured.

Any ideas where i can start digging why claims aren't issued to the user account?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,266 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 25,446 Reputation points Microsoft Vendor
    2020-07-24T08:00:09.87+00:00

    Hello

    Based on the link you provided, I did a test in my lab.

    1.Add a domain user (t1) to Protected Users group.
    13598-claim11.png
    2.Create Authentication Policy.
    13604-claim3.png
    3.Create Authentication Policy Silo.
    13597-claim4.png
    4.Bind Authentication Policy and Authentication Policy Silo to user account (t1)
    13652-claim5.png
    5.Configure the following group policy setting (through local group policy)for Win10-1809 above.
    Computer Configuration > Administrative Templates > System > Kerberos >Kerberos client support for claims, compound authentication and Kerberos armoring

    6.Configure the following group policy setting through Default Domain Controller Policy object) for domain controller.
    Computer Configuration > Administrative Templates > System > KDC > Key Distribution Center (KDC) client support for claims, compound authentication and Kerberos armoring

    7.When I user domain account (B\t1) to logon client, I can not logon with error message.
    13653-claim1.png

    We can check if we missed some configurations or some configurations is mis configured.

    For more information, we can refer to the link below.

    Authentication Policies and Authentication Policy Silos
    http://www.rebeladmin.com/2016/03/authentication-policies-and-authentication-policy-silos/

    Best Regards,
    Daisy Zhou

    0 comments
  2. Daisy Zhou 25,446 Reputation points Microsoft Vendor
    2020-07-24T08:00:24.33+00:00

    Hello

    Based on the link you provided, I did a test in my lab.

    1.Add a domain user (t1) to Protected Users group.
    13598-claim11.png
    2.Create Authentication Policy.
    13604-claim3.png
    3.Create Authentication Policy Silo.
    13597-claim4.png
    4.Bind Authentication Policy and Authentication Policy Silo to user account (t1)
    13652-claim5.png
    5.Configure the following group policy setting (through local group policy)for Win10-1809 above.
    Computer Configuration > Administrative Templates > System > Kerberos >Kerberos client support for claims, compound authentication and Kerberos armoring

    6.Configure the following group policy setting through Default Domain Controller Policy object) for domain controller.
    Computer Configuration > Administrative Templates > System > KDC > Key Distribution Center (KDC) client support for claims, compound authentication and Kerberos armoring

    7.When I use domain account (B\t1) to logon client, I can not logon with error message.
    13653-claim1.png

    We can check if we missed some configurations or some configurations is misconfigured.

    For more information, we can refer to the link below.

    Authentication Policies and Authentication Policy Silos
    http://www.rebeladmin.com/2016/03/authentication-policies-and-authentication-policy-silos/

    Best Regards,
    Daisy Zhou

  3. Kevin K 1 Reputation point
    2020-07-28T10:44:01.297+00:00

    So i enabled kerberos debugging in my test and productive environment. when i logon with a user i get the error "0xe KDC_ERR_ETYPE_NOTSUPP" in our productive environment. this one i don't get in the test environment. so i guess sth. wrong with kerberos.

    any ideas?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.