Active Directory "Log on to" Authentication

I have been having issues with authenticating wiressly with Kiosk accounts using a pass through Radius server when the "Log On To" Restriction is set for the user account in Active Directory.  Once we remove the lock down to specific machines it authenticates fine. I have tried adding the DC's and the Radius server itself to the "Log On To" list to see if that works, but so far no luck.  Any ideas?

I have found the following but it didn't help much.

http://blogs.technet.com/ad/archive/2008/03/07/question-about-ad-authentication-put-in-context.aspx
LVL 1
joshbennett04Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

exx1976Commented:
What do the event logs have to say about it?  If you don't see any entries, enable failure logging in the security log..
0
joshbennett04Author Commented:
The local event logs look normal, they show
Logon Type:      2
Logon Process:      User32  
Authentication Package:      Negotiate

I was hoping that the authentication type would be different for the restricted account than a non-restricted account but it's the same for both, whether we have it auto login or not.
0
joshbennett04Author Commented:
I have noticed that when the machines autologin the authentication type is 11, which is cached interactive.  This could be part of the reason that it won't authenticate.  I've had other people tell me in the past that they've seen authentication issues when using cached credentials.  I might have to get Microsoft on the phone to see if they know of any reason the "LogOnTo" Setting in AD would prevent cached creds from authenticating.  I am going to try and restrict my credentials to a specific machine, manually log in (no cached), and then try to authenticate through the Radius server.  I will post what I find.  
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

joshbennett04Author Commented:
A friend told me that this was a confusing post so I am going to re-word it.  I have a kiosk user account named bob, the bob user account is restricted to a kiosk OU named bob's OU.  We have locked the bob user account down to only log into the PC's in Bob's OU using the "LogOnTo" setting in Active Directory under the Account Tab for the user.  When the PC logs in automatically with the credentials set in the registry it gives the following logon type: 11 (cachedinteractive.) The user account will not authenticate to the DC through a Radius wireless setup unless the LogOnTo setting allows the bob user account to sign into all computers. Can anyone tell me why the LogOnTo is affected by these cachedinteractive credentials?  
0
L3370Commented:
you said its using wireless to connect?  The account may be logging on to the computer using the cached information, probably because its not connecting to the wireless network UNTIL the computer is logged on to.  By that time, its already logged on to the computer using the cached info and doesn't recognize a need to authenticate with the domain...maybe?

0
joshbennett04Author Commented:
Thats right along my line of thinking.  A little more info, the Radius setup uses a user certificate to authenticate. Could you tell me why it wouldn't need to authenticate at that point?  Any time you establish a new connection, plug in a LAN line, it will at that time re-authenticate with the DC will it not?  Any command lines we can pass in a batch or vbscript to make the authentication re-process?
0
L3370Commented:
you'd think it would...but i just had an instance of a similar problem.  One of my users was trying to change their logon password when connected thru VPN. They log in using cached credentials, log in via vpn and change the password on the network.  When they log off the computer and log back in, it still continued to log in using the older cached password info instead of the newly created password. when they logged in via VPN, the new password was the one that worked.  and this continued until the user plugged it into the LAN back at the office.
As for a script to remedy that, i wouldn't know where to begin :P
0
L3370Commented:
how is the wireless connecting?  Is it set to automatically connect to that wireless network upon discovery?
0
joshbennett04Author Commented:
Yes
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.