Disabling Authorization Checks
You can optionally disable the querying of group information used for authorization when configuring an
authentication server. A Use this authentication server to check group membership checkbox is available for
each server type that can contain group information used for authorization, including Active Directory, Active
Directory Tree, and LDAP servers.
Usually, when you use a directory server as part of authentication, you also want the group information stored
there to be used in policy authorization. However, in some cases a directory server is used for secondary
authentication and does not contain group information. In other cases, the secondary authentication server
does not use the same identifier for the user.
If a group query is made on both a primary and a secondary server, the authentication process takes longer.
However, if the user name is different on the two servers, a group query using the name from the primary
server will result in an error from the secondary server. Since the appliance policy always defaults to closed,
such an error will result in any deny rule being applied to the end user. By disabling group authorization checks
on the secondary server, you can avoid these problems.
If group checking is disabled for an authentication server, the server will not be available in the list of available
affinity servers on the realm configuration page. Conversely, if an authentication server is in use as an affinity
server for any realm, group checking cannot be disabled for that authentication server. See Enabling Group Affinity Checking in a Realm for more information.
Was This Article Helpful?
Help us to improve our support portal