The full error on the browser looks like the one below:
Appliance Error (configuration_error)
Your request could not be processed because of a configuration error: "Unable to authorize authenticated user"
The scenarion for this case is environments with two domains, such as parent.com and child.parent.com.
The ProxySG appliance's LDAP server that points to parent.com DC is being used as the LDAP authorization server for the Windows SSO authentication realm.
The LDAP server's DN has been configured as follows:
The two-way trust between these two domains is configurd and working fine.
The issue occurs when users from child.parent.com log in to their workstations and try to browse. When users from parent.com try to browse, it works fine.
By default the 'Follow referrals' option is not enabled on the the LDAP server configuration. Enabling this option resolves this issue.
You can enable this option in the ProxySG Management Console by selecting Configuration > Authentication > LDAP > LDAP Servers and selecting the Realm name. Then select the Follow referrals option.
Note that if you use LDAP v3, you can select Follow referrals to allow the client to follow referrals to other servers. (This feature is not available with LDAP v2.) The default is Disabled.