The article describes an issue where authentication fails against AD server for NTSTATUS code 'STATUS_INVALID_WORKSTATION' in the user access log.
Problem or Goal
User authentication fails with AD as auth server and below error messages are observed in User access log and TCP dump:
Active Directory authentication server 'AD' : Received NTSTATUS code 'STATUS_INVALID_WORKSTATION'
Cause
This issue occurs when the option for Log On to is enabled under the Account tab for the user object in active directory. The Log On to will list of machine names the user can log on to and the VPN's machine name is not listed as one of the allowed machines to log on to.
Solution
To resolve this issue, perform the following steps:
Login to the domain controller
Navigate to the Active Directory Users and Computers
From the list, right-click the corresponding user
Click Properties
Select Account tab
Click Log On To button
Enter the Computer Nameof the VPN device (Computer Name can be obtained from the AD auth server configuration)