Problem: 

Active Directory is our User Directory. We created a Security group in the Active Directory (CN=Agroup,CN=Users,DC=mycompany,DC=com) and allowed access to certain resources for the members of the group.

The User Policy was defined correctly and working well but one of the members was suddenly rejected to access to the resources when the group “Agroup” is set to their Primary group in the “Member Of” tab of the user’s Properties.

Environment:  

CA Single Sign-On R12.x

Cause: 

This is an expected behavior of Active Directory. CA Single Sign-On cannot find the users in the group based on group membership when the group is set as the Primary group of the users, so the authorization is rejected.

You can find further details in the following knowledge article from Microsoft.

“Setting Primary Group Excludes the User from the Group Membership in Active Directory”

https://support.microsoft.com/en-us/kb/275523

Resolution:

Please consider to use user attributes for User Policies instead of group membership when the use of Primary group is indispensable.