Ihave an sa-2000 with os 6.0 R3.1 , and all my users work through group in AD .

what do you see in the event log of the ad ??

There is no events in domain controllers.

SA-2000 is querying fine domain becuase it can list groups and validate users OK, but it seems that can't see group membership.

Any idea?

Thanks.

Raœl

I would check two places.

First:

Check the User Realms page and select the realm you setup. Make sure you select the AD server in the servers section.

Second:

Check the Signing In Page and click the /* link. Make sure the real you setup is added to the signin page.

Hi,

I check User Realms and Domains Controllers are specified well. Test configuration goes well. I think SA-2000 reads AD well because it can validate users and see groups. The problem is only with group membership.

I check the Signing In Page and the real I setup is added well. If I configurar the real to validate users it goes well.

In Role Mapping page this rule exists:

When users meet these conditions: group ip "domain/group"

assign these roles: role

I think the problem is here, because if I create the following rule it goes well:

When user meet these conditions: username is "user"

assign these roles: role

Any idea?

Thanks.

Raœl

Hi rkobi,

I did not use LDAP Server authentication. I used Active Directory / Windows NT authentication. I have tried LDAP Server authentication with the configuration that you have indicated and it has worked well.

I think use LDAP Server authentication is a solution, but I don't know why it don't work with Active Directory / Windows NT authentication. I think that if we work with AD, Active Directory / Windows NT authentication is the authentication that we would have to use.

Thanks.

Raœl

Raul - when connecting to an AD server you can use either LDAP or AD for authentication and role mapping. The advantage of LDAP is greater flexibility in terms of being able to use a lot of different attributes to define roles. In my test server I use LDAP and then define roles based on City/State, Department......

I also use AD and map based on group membership and it works fine.

However with AD you are limited to group membership only . It will work just fine for role mapping with that limitation. If you don't want to use LDAP and still want to to troubleshoot your AD mapping then I would use the Policy Trace feature under Maintenance, Troubleshooting, User Sessions. Turn this on for the specific user and let it trace what happens when they authenticate. You should see the error pretty clearly.

You could find it is something as silly as a mispelled group name.

Hello,

we use 6.0R5 with Active Directory authentication and authorisation (Directory/Attribute) successfully.

We allow "Kerberos" and "NTLM v2" to the authentication-server and use a domain administrator account for the SA-to-AD-communication.

Our rules look like ..

Condition: group is "DOMAIN/GROUP1", "DOMAIN/GROUP2" or "DOMAIN/GROUP3" assign: "all-employees"

Condition: group is "DOMAIN/GROUP1" assign: "Group1-Roles"

Condition: group is "DOMAIN/GROUP2" assign: "Group2-Roles"

and all works fine.

We had to use uppercase group- and domain-names.

- Steffen