Hi,
To elaborate a bit, consider the following OU heirarcy in Active Directory. If searching for a user in the employees OU, the Base DN must be at the root of the heriaracy to ensure the LDAP search can find users in in that OU. EG the baseDN should be "DC=testlab,DC=local" (NOT the OU path of the AD service account "OU=Service Accounts,DC=testlab,DC=local")
C:\>dsquery user -samid mbeattie
"CN=mbeattie,OU=Employees,DC=testlab,DC=local"
C:\>dsquery user -samid srv_netapp_wfa
"CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"
Also one other point is that you must add the AD groups that are assigned to a WFA role for authentication to work.
EG ensure you have an AD group created that has the appropriate group members added
C:\>dsquery group -name WFA-Admins
"CN=WFA-Admins,OU=Groups,DC=testlab,DC=local"
C:\>dsquery group -name SGG-WFA-Admins | dsget group -members
"CN=mbeattie,OU=Employees,DC=testlab,DC=local"
Then in WFA add the group "Execution\User Management\Active Directory Groups" click Add\New type the group name, select the WFA role and click save. You must add the AD group to WFA before using the test authentication feature.
When using the "test authentication" feature i entered the username who would login to WFA via their AD account. In my case: EG "TESTLAB\mbeattie" <%NetBIOSDomain>\<%samAccountName%>
I read you note about changing the configuration and having to re-enter the password otherwise it fails and locks the account out. Sure sounds like a bug and the documentation should definately be updated, will chase it up with the developers. Thanks
/Matt
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.