Post by geeksbsmrt on Jun 21, 2021 14:38:53 GMT
We have an environment where we have users in multiple domains with different group membership requirements per domain. This is our Auth XML:
This works great as long as the user selects the correct domain for authentication the first time. However, if the user selects the incorrect domain for the first auth attempt, when they change to the correct domain, the auth works but we get the Security Group membership error. I have included a screenshot of what we're seeing with the logs.
Note that in the picture the first, failed auth, was performed against d1. The second auth attempt, against d2, was successful. However, the line reads: "Successfully retrieved default naming context for d2: DC=d1" It appears that it's still holding on to the DN of the first login attempt and causing the group membership evaluation to fail in the successful login.
<Action Type="UserAuth" Title="User Authentication" MaxRetryCount="5" Group="d1g1;d1g2;d2g1;d2g2;d3g1;d3g2;d4g1" GetGroups="True" DisableCancel="True" ShowBack="False" Condition='"%isVendor%" = "False"'>
<Field Name="Username" RegEx="[\w\-_.]+"/>
<Field Name="Domain" List="d1,d2,d3,d4"/>
</Action>This works great as long as the user selects the correct domain for authentication the first time. However, if the user selects the incorrect domain for the first auth attempt, when they change to the correct domain, the auth works but we get the Security Group membership error. I have included a screenshot of what we're seeing with the logs.
Note that in the picture the first, failed auth, was performed against d1. The second auth attempt, against d2, was successful. However, the line reads: "Successfully retrieved default naming context for d2: DC=d1" It appears that it's still holding on to the DN of the first login attempt and causing the group membership evaluation to fail in the successful login.
