Authentication at the logon point fails for users who belong to groups in different domains. For example, two domains in the same forest, where userA exists in domainA but is also a member of a universal group in domainB.

The Access Gateway log contains an LDAP operation error:
ns | :LDAP (052):openldap (03) | LDAP operation failed: error code = 10 (referral), error message = '0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'example.com

As a workaround, you can complete one of the following:

• Do not use authorization. Set the primary and secondary authorization to none which is logon point configuration.

Authorization is only necessary if a user group membership is a criterion for access to resources, which is only possible when using SmartAccess logon points. Without authorization, users can still be subject to authentication using their credentials.

Problem Cause

Authentication is working, but authorization fails. Access Gateway appliance contacts the LDAP server with search requests for the various groups the user belongs to. The following screen shot is an excerpt of the network packet trace:

After the request gets to a group that exists in another domain, the LDAP server responds with a referral.

Access Gateway software release 5.x does not support following the LDAP referrals to extract groups.