Hi, I have a J2EE WebApp which expects the user to have a specific role for authorization (Authentication and Authorization will be against Active Directory). Environment details given below: App Server : JBoss-4.0.5.GA Directory Services : Microsoft Active Directory. Steps - 1: Created a Group in Active Directory exactly with the same name required by WebaApp, assuming that JAAS will populate the group name(s) into role(s) after successful authentication. Step - 2: Assigned all the users to the group apart from their pre-assigned groups in Active Directory (AD). Step - 3: Below are the various config XMLs in JBoss. <!-- ------------------------- login-config.xml - START --------------------------------------------- --> <?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <!-- Attempt with LdapExtLoginModule --> <application-policy name="HMActiveDirecotry"> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <!-- Some AD configurations may require searching against the Global Catalog on port 3268 instead of the usual port 389. This is most likely when the AD forest includes multiple domains. --> <module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option> <module-option name="bindCredential">password</module-option> <module-option name="baseCtxDN">DC=company,DC=com</module-option> <module-option name="baseFilter">(userPrincipalName={0})</module-option> <module-option name="rolesCtxDN">DC=company,DC=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> <module-option name="roleRecursion">-1</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> <module-option name="defaultRole">AuthUserRole</module-option> </login-module> </application-policy> <!-- Attempt 2 from Wiki as it is from example and few more additions --> <application-policy name="HMActiveDirecotry"> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option> <module-option name="matchOnUserDN">false</module-option> <module-option name=&quot;principalDNSuffix&quot;&gt;(a)ldaphost.company.com&lt;/module-option&gt; <module-option name="uidAttributeID">sAMAccountName</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> <module-option name="allowEmptyPasswords">false</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> <module-option name="searchTimeLimit">5000</module-option> <module-option name="defaultRole">AuthUserRole</module-option> <!-- module-option name="additionalRole">AuthUserRole</module-option --> </login-module> </application-policy> <!-- ------------------------- login-config.xml - END --------------------------------------------- --> <!-- ------------------------- web.xml - START --------------------------------------------- --> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <display-name>LDAP-Test</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <servlet-name>ldapTest</servlet-name> <display-name>LDAPTest</display-name> <jsp-file>/ldaptest.jsp</jsp-file> <servlet-mapping> <servlet-name>ldapTest</servlet-name> <url-pattern>/ldapTest</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>LDAPTestJSP</web-resource-name> <url-pattern>/ldaptest</url-pattern> <url-pattern>/ldaptest.jsp</url-pattern> <url-pattern>/ldapTest</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>AuthUserRole</role-name> </auth-constraint> </security-constraint> <!-- login-config> <auth-method>BASIC</auth-method> </login-config --> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login_error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>AuthUserRole</role-name> </security-role> </web-app> <!-- ------------------------- web.xml - END --------------------------------------------- --> <!-- ------------------------- jboss-web.xml - START ------------------------------------- --> <jboss-web> <security-domain>java:/jaas/test</security-domain> </jboss-web> <!-- ------------------------- jboss-web.xml - END -------------------------------------- --> Actual Result: The J2EE WebApp is not authorizing the user to view the ldapTest Servlet (JSP) after successful authentication. I have tried with both LdapExtLoginModule & LdapLoginModule and could not get thru. Is there any specific way of defining groups in Active Directory so that they will be populated into roles by JAAS after successful authentication? Please respond ASAP. Can anyone help me please? This is very urgent. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025948#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...