LDAP based administrator accounts get Access denied message on login
search cancel

LDAP based administrator accounts get Access denied message on login


Article ID: 273859


Updated On:


Messaging Gateway Hardware


After configuring or modifying the membership of a LDAP based Administration Policy Group members of that group receive an "Access denied" message when attempting to log into the Messaging Gateway (SMG) Control Center web interface.

Error text

Access Denied

Access for your account has not been configured. Please contact your administrator for assistance


Potential causes

  • The administration policy group has not been configured with directory based membership or Administration access
  • The Control Center has cached information on the directory group membership which does not reflect more recent changes to the group
  • The configured administration group has a lower precedence than another policy group with no Control Center login access


The "Access denied" message means that the authentication to the Control Center web GUI was successful but the account's policy group doesn't have adminstrative access. 

Configuring Administrator policy group access to Messaging Gateway

  1. Ensure that a directory data source is configured with Authentication enabled with either 'Control Center authentication only' selected or 'Control Center and SMTP authentication' selected.
  2. Enable 'Both Control Center Authorization and Email Scanning' is selected on the Address Resolution tab.
  3. Ensure that "Enable an Administration Policy for this policy group" is enabled for the specific policy group (Administration > Policy Groups > Select a policy group > Edit > Administration) and that the appropriate administration policy is selected.

Clearing the DDS cache

  1. Log into the SMG Control Center as admin
  2. Go to Administration > Directory Integration
  3. Open the configuration for the data source that is providing authentication
  4. Select the Advanced tab
  5. Click the Clear cache button

This will ensure that any cached membership entries for the administration policy group have been cleared and the directory server will be queried for the most recent information on group membership.

Policy Group Precedence

If clearing the cache doesn't address the issue, ensure that the account is being properly mapped to the expected administration policy group:

  1. Go to Administration > Find User
  2. Enter the email address of the administrator account recieving the access denied message
  3. Click Find user
  4. Confirm that the administrator policy group shows up in the list and is the first entry in the list.

If the administration group is not the first policy group in the list, it's precedence will need to be adjusted by 

  1. Go to Administration > Policy Groups
  2. Click and hold on the administration policy group 
  3. Drag the administration policy group to the top of the precedence list