Yes, on the task, I am able to query for and add the LDAP group to the named users list for distribution.  The problem seems limited to how the QVWS attempts to retrieve groups for the NTLM credentials.   Even though the user, logging in via NTLM, is a member of that group, they are not seeing the dashboards.

Is this happening for all apps? Do you have section access on them?

And are you using DMS or NTFS?

Kind regards!

This is setting up a new server.  Section access is not involved, at least not yet.  This is simply trying to get one dashboard to show when distributed to an LDAP group.  We use LDAP successfully for distribution in another environment where we use SSO instead of NTLM for authentication.  In both cases, we are using DMS.

I do not think it is an issue of passing credentials.  I can get it to work when using an individual ID, if I set the prefix in the LDAP configuration to match the domain of the logged in user.  The issue is when I want to use an LDAP group.  The groups does not seem to be returned, or is returned in an unusable format.   I am comparing to our current environment, which does use SSO and LDAP successfully.  One difference I have found is that in the QVWS log, when sending the id and group list, the new environment has this set:

<GroupListIsNames>false</GroupListIsNames></Global>

whereas the old current environment has

<GroupListIsNames>true</GroupListIsNames></Global>

I am wondering if the group values returned when this is set to false is incompatible.  I cannot find out how to set this to true to test.  Do you happen to know how to set this to true?

Thanks again, Albert.  That first link states, in part, this:

•If using NTLM for authentication, the group membership information is taken from the Windows authentication.

Since Windows has already told Accesspoint the username and also about the group membership for the user, the Directory Service Connector will not be asked to resolve groups. So Accesspoint will show the documents based on the group membership from Windows Authentication, not the group membership in the Directory Service Connector.
If this is not the desired outcome, then NTLM is not a suitable authentication mechanism, and it would make sense to switch to another authentication method that either identifies the groups correctly or not at all.

This may be the fundamental issue.  Is there really no way then to use NTLM for authentication, but still use LDAP for distribution?  Has no one done this?

Brian, have you tried using the Alternate Web Page (Webform) option in the QVWS settings?  Only thing of which I can think that might cause things to behave differently... This will force the users to login separately from having their web browser process things automatically, just FYI.  It is the only method of which I can think that will get the DSC involved in order to check the LDAP groups as well...

Regards,
Brett