I'm part of a team working for a customer that is doing a first-time deployment of CA SSO. Their user directory is AD LDS. User objects have an objectClass of "userProxy", so we had to update several parameters in the Windows registry to accommodate this new object class. All policies to date are enabled for all users in the directory, and we have not had any problems with users getting authorized. So far, so good.
We now want to be able to restrict a particular URI to a single service account. We have created a separate realm so we can restrict access to the resource and have modified the policy accordingly. The user is successfully authenticated, but gets an AzReject. We are suspicious that the policy server and/or Windows is still lacking some required configuration element to be able to identify individual users in AD LDS.
Any suggestions would be appreciated!