I think there might be several 3.2 security role syncronization bugs out there currently but one that me two weeks to figure out is fixed and it might help out other people.

Before attempting this fix, make sure you have your DNN role name match the AD group sAMAccountName and you have Synchronize Roles checked in the Authentication module.

The problem I was having is that under DNN 3.2 users were not being added to their correct security role.  I checked to make sure the DNN security role name matched the AD sAMAccountName exactly and still no luck.

I believe the problem lies in the way my AD is set up.  We are in a legacy mixed mode AD so while the AD groups were being found, no members were being found for the group and thus the user never was added to the DNN role.

I had to modify the ADSI Provider source code to get it to work.  The code to change in the Utilities.vb file of the Authentication.ADSI project.  There are two methods to change:  GetGroupEntryByName and GetGroupEntriesByName.  Both methods should be changed the same way.  I replaced the first couple of lines so that the search for the group entry object does not use the wrapped objects but instead uses a new DirectoryEntry object and DirectorySearcher object.  Here is a VB code snippet:

Public Shared Function GetGroupEntryByName(ByVal GroupName As String) As DirectoryEntry

Dim objLDAP As New DirectoryEntry

If Not objLDAP.Exists("LDAP://rootDSE") Then

   Return Nothing

End If

Dim objSearch As New DirectorySearcher(objLDAP)

objSearch.Filter = String.Format("(&(objectClass=group)(sAMAccountName={0}))",GroupName)

Dim objSearchResult As SearchResult = objSearch.FindOne()

Dim groupEntry As DirectoryEntry = objSearchResult.GetDirectoryEntry()

The rest of the code is the same.  This is a pure hack but it works.  Hopefully Tam and team will correct this for the next version.

If you want my code or just the compiled assemblies email me at mgilbert at tavilo dot com.