Issuance Authorization Based on Group Membership

Similar Messages

• Calculate Set membership based on Group Membership

  I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!
  I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot
  refer to Groups when using "Resource ID" - bummer!
  I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?
  Thanks

  I've done this using a custom WF, but still curious to see if there is some other way around it.
  For those interested, the custom workflow gets the member being added from the request, and adds it to the set - fairly simple really. I'm using the FIM PowerShell WF activity for this, in conjunction with the fantastic FIM PowerShell Module

• Mapping shares based on ADS Group membership

  Hello,
  I am a pc person and do not know much about Macs. I have been charged to find a way to attach all of our new macs to our Active Directory. I have been able to bind a test machine to the directory and get the home share. Now the "higher ups" want the macs to mimic a pc in logon. They want the mac to map all the shares based on group membership at login. Some of these people connect to 4 to 5 different shares depending on their job duties.
  I have looked on line and all the questions/answers like this seem to end at binding to the ADS and getting a home share. I need to go one step further. Any help would be greatly appriciated.

  Logon scripts, not Active Directory, are typically used to map drives to Windows computers at login. You assign a script to a user via Active Directory.
  Macs can't be administered from Active Directory and therefore can't use the logon scripts from Active Directory, so you'll need a different solution. The Workgroup Manager from Mac OS X Server used with Active Directory in a Golden Triangle is a common solution. It does require a Mac OS X Server.
  You won't find many other options, if any.
  Hope this helps! bill
  1 GHz Powerbook G4   Mac OS X (10.4.8)  

• Can group membership be the target of an ACI?

  We have a few static groups that are used by a network authentication server. I also have a group of Help Desk staff that can change passwords of users who have forgotten theirs. I would like to restrict this ability so that they cannot change the passwords of users in certain groups. Is there a way to either: make group membership part of a target of an ACI, or assign a role based on group membership? I could create a role to do what I want, but I would then have to (I think) manually add the role to a user if I added that user to one of the groups I want to protect. Thanks...

  Sorry about the duplicated message - I thought the original did not get posted.

• Policies assigned to groups - membership changes not working

  I have a single ZESM IR8 server setup.
  All security throughout my environment, ZESM and otherwise, is based on group membership.
  If I change a user from one group to another group this change does not reflect in their policy assignment.
  Scenario: GroupA = standard user policy, GroupB = power user policy.
  UserA was first in Group A and therefore got the standard user policy.
  UserA now requires the power user policy.
  Remove UserA from GroupA and add UserA to GroupB (in iManager).
  UserA does NOT get the "power user" policy that is assigned to GroupB
  Am aware that I can assign the policy at a user level but this is NOT an option in my environment. All security assignments MUST happen at a group level.

  What you observed is the expected behavior.
  ZESM doesn't updates group membership in real time once a policy has been published. I've described this behavior on previous posts.
  What the MC does behind the scenes when you click "Publish" on a container or group object is to assign the policy individually to each member/user. For groups, it resolves membership at the time the policy is published then the MC iterates among each member assigning the policy to each of them. That's why you don't see updates once the policy is published.
  Try Updating the published policy to see if that works. From the docs:
  Updating a Published Policy
  Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish. The affected end-users and computers receive the updated policy (and the new key) at their next check-in.
  >>>
  From: laurabuckley<[email protected]>
  To:novell.support.zenworks.endpoint-security-management
  Date: 12/15/2009 7:16 AM
  Subject: Policies assigned to groups - membership changes not working
  I have a single ZESM IR8 server setup.
  All security throughout my environment, ZESM and otherwise, is based on
  group membership.
  If I change a user from one group to another group this change does not
  reflect in their policy assignment.
  Scenario: GroupA = standard user policy, GroupB = power user policy.
  UserA was first in Group A and therefore got the standard user policy.
  UserA now requires the power user policy.
  Remove UserA from GroupA and add UserA to GroupB (in iManager).
  UserA does NOT get the "power user" policy that is assigned to GroupB
  Am aware that I can assign the policy at a user level but this is NOT
  an option in my environment. All security assignments MUST happen at a
  group level.
  laurabuckley
  laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
  View this thread: http://forums.novell.com/showthread.php?t=395870

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Active Directory Group membership based on OIM Role

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• Group membership alterations timeout

  Hello,
  I've imported about 100 security groups with their members from AD to FIM and have altered precedence so that FIM now manages these groups. I want to change the groups to criteria based membership and have successfully done so in a number of cases,
  however I am finding that groups with more than apx. 700 members are causing an error in the portal.
  Event viewer says that the diagnostic log may contain more information but it does not. It also suggests checking the SharePoint log but unfortunately I have been unable to find an appropriate log.
  I've had this error occur before in similar circumstances and my guess is that there is some sort of timeout cancelling the operation.
  Does anyone know of a fix for this? Is there a way to empty the group memberships?
  Many thanks 
  Portal error:
  "Unable to process your request. Please contact your help desk or system administrator."
  Event viewer:
  "The portal was unable to complete a request and showed a user the default error page.
  An unhandled exception was caught.
  Check the product diagnostic log file and then check the SharePoint log file."

  Hello FIM-EN,
  You probably have a timeout issue. Tyr to increase the value in the file "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config":
  /configuration/ resourceManagementClient/ @timeoutInMilliseconds
  [0,360000]
  90,000
  The timeout of the client side of communication.
  link:
  http://technet.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx
  Regards,
  Sylvain

• Group membership redirect with AD LDS

  I have my LDS instance synchronized with my AD environment. I am only synchronizing objectClass=user. I am creating userProxyFull objects on the LDS side. Authentication is working as I have tested authenticating with an AD user to LDS.
  My application person would like to query group membership, that is the group membership that exists in AD. Is it possible to redirect group membership queries so that the group membership information from AD is provided to the application that is using
  the userProxyFull object in LDS?
  Thanks,
  Paul

  Hi,
  why do you need userProxy and AD LDS, is it that the application can only support LDAP simple bind or that you need a form of distinguishedName other than that in your AD or that the application cannot reach your DCs?
  To do Authorization, if you have ruled out having the application query AD DCs, your options are:
  [1] have the application maintain an Authorization database and sync that from your AD or provisioning system if you really need it to follow AD group membership
  [2] use adamsync to sync the groups as well as doing the userProxy transform, something like:
          <object-filter>(&#124;(objectClass=user)(objectClass=group))</object-filter>
          <attributes>
          <include>objectSID</include>
          <include>member</include>
          <exclude></exclude>
          </attributes>
  it would be best to spin up another AD LDS instance to try this against. You then need to test adding and removing users from the AD groups and check that those changes sync. This might work but unfortunately the more creative you get with object-filter
  in adamsync, the more surprising the results tend to be.
  [3] a variation on [1], ldif export your group memberships from AD and import into AD LDS (distinguishedName re-writing may be required)
  [4] have the application bind with the userProxy credentials to the rootDSE of the AD LDS instance and read tokenGroups to get a list of SIDs that you then need to resolve into groups (I mention this for completeness but it's possibly more complex application
  development than you would want to do...)
  Other options are:
  use a virtual directory tool
  use a different sync tool e.g. FIM or
   Quest One Connect
   disclaimer: I  have never used the latter.
  review the application to see if direct AD DC access is possible.
  Lee Flight

• Group Memberships not Flowing into Metaverse

  Hello,
  I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:
  An HR system running on SQL Server
  A staging database that extract data from the HR system
  The staging database has a table representing person object
  The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
  The staging database has a table representing group objects
  The staging database has a table representing group memberships (mult-valued)
  A SQLMA connected to the person and person multi tables
  A SQLMA connected to the group and group membership tables
  All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership
  table
  This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
  I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.
  But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.
  Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.
  I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute. 
  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
  group functions and person types (bascially, I don't care about the MV rdn).
  Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
  Thanks,
  Greg Wilkerson

  Hey Cameron,
  I have total control of all the DB tables FIM is accessing.  I build them up as part of IDM process.
  I've read this article, along the many others that address the "manager" scenario.  This really doesn't apply in this case as the user and group objects are loaded in separate MAs.  Getting reference values to flow with both object live in the
  same CS shouldn't be an issue. 
  I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group).  That solution solved the issue of the groups and user being in the same CS.  As I grow tired of my daily
  FIM beatdown, that solution is growing more attractive.  That's a major DB redesign, and seems quite inefficient.
  The multi-value table for group memberships already exists in the DB.  For FIM purposes, I transferred that data into the user object multi-value table.  See screen shot.  I can certainly configure the group MA to access that multi-value table
  and load the group members as references.  But, because the group MA CS will not contain the user objects, I don't see how the references will be set.  If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
  figured out a way to set the an reference value for an object in the MV - my problem all along.
  This whole "setting a reference value" encompasses much more than just group memberships in my implementation.  Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system.  These objects exist
  in our current IDM system and are associated with users based on rules.  So, the reference value process is something I need to figure out, if I'm going to use this product.
  Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact.  I'm not sure that would get me where I want to go, and
  it seems like a lot of extra "stuff" to solve what should be a simple problem.  Hmmmmmm.  Or, connect the ECMA2 directly to my group membership multi-value table in the DB.  Hmmmmmm.  I'd still have to export the groups and users into that
  CS, but the import might be much more straight forward.  Hmmmmmm.
  The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
  EmployeeGroups
      GroupName varchar(50) not null,
      EmployeeID nvarchar(50) not null,
      ID int identity(1,1) not null

• AD account used for running SIA locked during group membership querying

  Hello,
  I have code that is querying user / group membership from the BOE repository using the Java Enterprise SDK.  When running against an environment using an AD service account to run the SIA, an error is thrown and the AD account is subsequently locked when I execute my code.  The error is as follows:
  com.crystaldecisions.sdk.exception.SDKServerException: The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
  The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79]  50068 { ,  , secWinAD}
       ...The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator.   Plugin error: SecWinAD Error: an error occurred in CADCredentialManager::SwitchSecurityContexts().
  If the account is successfully running the SIA, I'm not understanding why this message is being thrown.  Also - I'm assuming some internal login is happening with this AD account when I query for group membership (?), as I am able to query for other types of metadata without error / locking the account.  Based on the error thrown, the authentication with this ID is failing, and is probably being attempted multiple times, resulting in the account being locked?  Can anyone provide insight here?
  Thanks...

  Ted is right on the mark with this one.
  The cause is outlined in the exception indicating a problem with the SwitchSecurityContexts() function.  The Active Directory plugin requires a set of credentials with which to connect to Active Directory and perform any necessary lookups.  Therefore, the issue is not with the account running your SIA (and by extension your CMS), but the Active Directory administration credentials you've set on the plugin (either via the CMC or through code).  When the CMS tries to impersonate, or switch security context to the other account, it fails to authenticate against Active Directory.
  Check to make sure this property is set identically to the account running the SIA, and like Ted said, that you can successfully update the plugin via the CMC.
  Thanks,
  Jim