We have a vendor that requires Domain Admin access on the servers where their software is deployed. (Obviously we want to restrict them to only being able to login to the servers where their software is deployed.) In AD, we have used the "Log On To..." to restrict that user to those particular servers.
However, our VPN (Sonicwall NSA 2400) cannot authenticate the user when restricted servers are set. It returns: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1". According to this, the error is that the Sonicwall is not a permitted workstation. I have added the IP of the Sonicwall to the allowed workstations, but it has not removed the error. When I change the logon restriction to all workstations, the user is allowed to login to the VPN and the Sonicwall says login successful.
Is there a way I can get the Sonicwall to authenticate the user while still keeping the restricted login? I am open to alternatives to our method.