After a lot of debugging, taking source from the JBoss repo and stepping through it, I noticed that the role 'User' was also added to role set of the users, via the standard non-LDAP IdentityLoginModule. Adding this as a group in SBS AD and adding it to the user allowed the portal to work. Also, adding Admin worked as you would expect. I suspect a lot of people have fallen into this trap considering the 403 errors I've seen in the forums. It might be worth updating the specs to ensure people add these roles to their user's role sets, not just 'Authenticated'. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4147884#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...