I'm trying to restrict logon access to our org's domain controllers using an Authentication Policy and/or an Authentication Policies with an Authentication Policy Silo. I'm working with a single privileged account, a bastion host, a management server and the forest domain controllers. The only account not in the target Active Directory forest is the bastion host.
I've tried the instructions in each of the following articles, with no results:
Authentication Policies and Authentication Silos – Restricting Domain Controller Access
Using Authentication Policies to Restrict Privileged User Account Logons
How To Configure Protected Accounts - Authentication Policies
I've tried the suggestions in this thread and the few others I've managed to find:https://social.technet.microsoft.com/Forums/windowsserver/en-US/751659d0-aae0-486e-ab6d-820e5384a855/authentication-policies-and-silos-not-working-properly?forum=winserverDS
I've even tried removing the non-domain joined bastion from the equation by replacing it with a domain-joined workstation with direct access to the management server.
Regardless of what I do, I continue to see events in the AuthenticationPolicyFailures-DomainController logs on the domain controllers like the following:
Additionally, after poring over the existing documentation, I've searched for more detailed information on the different parts of the authentication policy and how authentication policies work and have turned up nothing.
Has anyone set up an Authentication Policy and/or Authentication Policy Silo that actually works? Is there any detailed information out there on the different parts/attributes of an authentication policy?