</Action> This works great as long as the user selects the correct domain for authentication the first time. However, if the user selects the incorrect domain for the first auth attempt, when they change to the correct domain, the auth works but we get the Security Group membership error. I have included a screenshot of what we're seeing with the logs.
Note that in the picture the first, failed auth, was performed against d1. The second auth attempt, against d2, was successful. However, the line reads: "Successfully retrieved default naming context for d2: DC=d1" It appears that it's still holding on to the DN of the first login attempt and causing the group membership evaluation to fail in the successful login.