A client using Windows SSO Domain Controller Query receives an Access Denied exception page when trying to browse the internet.

The Windows SSO realm also uses an LDAP realm for authorization.

This problem occurs when the client is a member of a nested group.

For example:
A client is a member of GroupA and GroupA is a member of GroupB. However, the client is not a member of GroupB. In VPM, the policy allow rule source was set to GroupB, and based on the policy trace, the access or transaction was missing the rule. So it matches to the default rule, which is Deny.

Enable Nested Groups Support under Configuration > Authentication > LDAP > LDAP Search & Groups to resolve this issue.