I am trying to allow users of an external linux based application server to authenticate with the service using their Active Directory credentials via LDAPS. It works well for admin accounts but fails for normal user accounts.
The issue is that there is a "logon workstations" setting for users that restricts them from logging onto the Domain Controller (DC) (or rather creates a restriction that they can only log onto their assigned workstation)
The initial LDAP query is in the name of a service account works but at the point when the HTTP Authentication is carried out the LDAP service unbinds from the service account and tries to bind as the user. At this point it fails.
Is there a way around this? Is it common practice to restrict access to the DC in this way?