Modern sssd respects the GPOs from Active Directory that control which ways users are allowed to log in (e.g. locally, remotely). Some time recently this check was changed from permissive to enforcing. A fully updated Ubuntu 16.04 is enforcing, as is a Fedora 27. However RHEL 7 is still permissive even though it uses a recent sssd.
sssd has a map between PAM service name and the different GPO categories. A service that isn't in any map gets denied. And we use the service name "thinlinc" for web access.
The fix is to add the following to your sssd configuration for your domain:
> ad_gpo_map_remote_interactive = +thinlinc
This puts thinlinc in the same category as ssh.
Asked upstream to be included in their default list:
We'll do a platform specific note right away and then see what the next step is.
A platform specific note has now been added.
The PSN looks good, verified that it solves the problem.
For reference, the platform specific note is in the general section:
For now we'll wait and see if upstream continues with their plans to allow us to drop extra configuration in /etc/sssd/conf.d.