To ensure that your group rules work properly, verify the following:
The "Name template" field on the schemus LDAP Search tab needs to match the domain that is identified in the CSP access logs. Change the name
It is likely that the the portal Proxy domain does not match LDAP sync domain.
You need to obtain the CSP access logs to confirm that the domain in the portal does not match the domain in the access logs.
Windows 2000 and onwards maintains two different domain names: a "pre-Windows 2000" domain name, and an Active Directory domain name.
The Active Directory domain is generally a DNS name.
When you install Windows 2000 or 2003, you can select both the pre-Windows and the Active Directory domain name. If you upgrade from Windows NT, you are limited to the AD domain name.
If you upgrade from NT and the NT domain name is NTDOM, your AD name reflecs it and show as ntdom.com.
If it is a brand new installation, you are given the choice between the AD domain, ad-dom.com, and the pre-2000 name AD-DOM.
You can change the default in either case.
In AD, every user has two names for their account:
The pre-win2k one and the native AD one:
DOMAIN\user and email@example.com.
If you have not accepted the defaults at installation, the names is either NTDOM\user and firstname.lastname@example.org.
The default schemus settings assume that you use the default AD names, (ie that the pre-2k and AD domain names are the same).
Note that the CSP uses the NTLM authentication protocol, and NTLM always uses the pre-win2k account name to authenticate (ie NTDOM\user).
Therefore, even if you log into your computer as email@example.com, at authentication with the CSP, your browser sends NTDOM\user as the user name.
More information can be found at:
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.