Cannot authorize with the group membership in Active Directory when the group is the Primary group.

Article Id: 40912

Status: Published

Updated On: 14-02-2018 07:45

Legacy Id: TEC1392334

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On

Issue/Introduction:

Problem:

Active Directory is our User Directory. We created a Security group in the Active Directory (CN=Agroup,CN=Users,DC=mycompany,DC=com) and allowed access to certain resources for the members of the group.

The User Policy was defined correctly and working well but one of the members was suddenly rejected to access to the resources when the group “Agroup” is set to their Primary group in the “Member Of” tab of the user’s Properties.

Environment:

CA Single Sign-On R12.x

Cause:

This is an expected behavior of Active Directory. CA Single Sign-On cannot find the users in the group based on group membership when the group is set as the Primary group of the users, so the authorization is rejected.

You can find further details in the following knowledge article from Microsoft.

“Setting Primary Group Excludes the User from the Group Membership in Active Directory”

https://support.microsoft.com/en-us/kb/275523

Resolution:

Please consider to use user attributes for User Policies instead of group membership when the use of Primary group is indispensable.

Environment:

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: