Cannot authorize with the group membership in Active Directory when the group is the Primary group.

book

Article ID: 40912

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Problem: 

Active Directory is our User Directory. We created a Security group in the Active Directory (CN=Agroup,CN=Users,DC=mycompany,DC=com) and allowed access to certain resources for the members of the group.

The User Policy was defined correctly and working well but one of the members was suddenly rejected to access to the resources when the group “Agroup” is set to their Primary group in the “Member Of” tab of the user’s Properties.

 

Environment:  

CA Single Sign-On R12.x

 

Cause: 

This is an expected behavior of Active Directory. CA Single Sign-On cannot find the users in the group based on group membership when the group is set as the Primary group of the users, so the authorization is rejected.

You can find further details in the following knowledge article from Microsoft.

“Setting Primary Group Excludes the User from the Group Membership in Active Directory”

https://support.microsoft.com/en-us/kb/275523

 

Resolution:

Please consider to use user attributes for User Policies instead of group membership when the use of Primary group is indispensable.

 

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: