Alex, does the UPN prefix of the user object match the cn of that user object?
I have not been able to get AD users to login via group authorization if the UPN prefix is different than the user object cn. When you look at the ‘member’ attribute of the group object, you see this is the full distinguished name of the user accounts.
I think the plug-in does an ldap search of groups where the group ‘member’ attribute contains the username used to login. If the UPN is different than what that cn is, the ldap query will return zero groups.
