In an environment with multiple domains and various trust relationships, you may very well have users who belong to multiple groups  that exist in different domains. For example, two domains in the same forest, where userA exists in domainA but is also a member of a universal group in domainB.

Unfortunately that may present a problem for the Access Gateway appliance, and some users may see this when they’re trying to log on:

The Access Gateway log contains an LDAP operation error:

 ns | :LDAP (052):openldap (03) | LDAP operation failed: error code = 10 (referral), error message = ‘0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: ‘’

This happens when you use authorization, i.e. when the group membership of a user is a criterion for allowing/denying access to resources. Authentication itself actually works, but authorization fails.

AG contacts the LDAP server with search requests for the various groups the user belongs to:

(network trace excerpt)

Once it gets to a group that exists in another domain, the LDAP server responds with a referral.

Unfortunately the Access Gateway 5 appliance does not support following LDAP referrals to extract groups, which means that at this point the entire operation stops and the user is considered as not authenticated.

There is no resolution as this works as designed.
Using just the AG appliance, there are two possible workarounds:

  1. Remove the user(s) in question from any groups in other domains
  2. Do not use authorization, i.e. set the primary and secondary authorization to “none” (a setting of the logon point; without authorization, users will of course still be subject to authentication using their credentials.)

OR: use the Access Controller!

This will give you the option of using native Active Directory Authentication, or set the LDAP profile to force authentication to occur at the Access Controller… both options will work in this scenario.