Issue: When you restrict the kiosk user accounts to use specific computers in the Active Directory, and users try to log in to Windows with those accounts, an Invalid Credentials error message is displayed from the Advanced Authentication Windows Client.
If the option is changed to This user can log on to All computers in the Active Directory, the account is able to log in successfully.
Reason: This issue happens when using the LDAP Password method, Advanced Authentication tries to bind to the Domain Controller to validate the password and it fails.
Workaround:
Open the user properties from the Domain Controller and goto the Account tab and click Log on To.
Add Domain Controllers to the list of allowed workstations for that particular user.
To prevent that user from accessing the Domain Controllers, go to Group Policy Management > Domain Controllers > Default Domain Controller policy > Edit.
In the Group Policy Editor go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Add that particular user or a group to Deny Log On Locally and Deny Log On Through Remote Desktop Services in the Policy setting.
Run gpupdate /force to push these group policy changes.