Global vs Universal Active Directory Group access for a web app

Question

I have a SQL Server 2000, C# & ASP.net web app. We want to control access to it by using Active Directory groups. I can get authentication to work if the group I put in is a 'Global' but not if the group is 'Universal'.

How can I make this work with 'Universal' groups an well? Here's my authorization block:

  <authorization>
  <allow roles="domain\Group Name Here"/>
  <allow roles="domain\Group Name Here2"/>
  <allow roles="domain\Group Name Here3"/>
  <deny users="*"/>
  </authorization>

Answer 1

Turns out I needed to use the "Pre Win2000" id not the regular one.

Answer 2

Depending on your Active Directory topology, you might have to wait for the Universal Group membership to replicate around to all the Domain Controllers. Active Directory recommends the following though:

1. Create a Global group for each domain, e.g., "Domain A Authorized Users", "Domain B Authorized Users"
2. Put the users you want from Domain A in the "Domain A Authorized Users" group, etc
3. Create a Universal group in the root domain "All Authorized Users"
4. Put the Global groups in the Universal group
5. Secure the resource using the Universal group: <allow roles="root domain\All Authorized Users/>
6. Wait for replication

One advantage of this scheme is that when you add a new user to one of the Global groups, you won't have to wait for GC replication.