We are running into a critical issue on the SharePoint 2010 Extranet implementation that is working with Microsoft as critical bug. Here are the details on the issues and the steps to reproduce. Please let me know if you have any solution or workaround.
Issue description: Check permission levels given to user is None for Claims Based Site before user login if user is given permission through AD group.
Procedure to reproduce:
1. Create a webapp and select "Claims Based Authentication" with everything else as default as described in below screen shot.
2. Create a site collection based on any template such as "Team Site" template as described in below screen shot.
3. Add a AD group like ems.sp.team to any groups such as Site Member Group.Please note one user with ID "harryc" is one of the member of the AD group.
4. Check Permissions on user in group (shows none). The correct result should display this user has Member Group permission. Click Site Actions->Site Permissions->Check Permission-> Enter user ID "harryc" as displayed in the following screen shot.
We have run Powershell command gpupdate /force and the result is the same.
5. Use "harryc" to login once and repeat the step #4 described above. The permission check result is correct now as Contribute Given through the "Harry Members" group.
Since we are implement SharePoint Extranet and we will need to hide all users on the site collectiuons except those inside the site collection, we would need this check permission function working in order to complete this function.
We are on SharePoint 2010 RTM release without any CU updates. Please let me know if you have any solution or workaround.
Yesterday, Microsoft has reproduced this issue and the trick part is you could ONLY reproduce this if AD groups are at Windows 2003 Domain Functional Level. See the screen shot for the version.
If you are using Windows 2008 Domain Functional Level, you will not have this issue. With Windows 2003 Domain Functional Level, we are able to reproduce this issue on SharePoint RTM, April CU, October CU, SP1 + June CU. We have tested AD on Window 2008 and 2008 R2 Window servers for both Universal and Global AD groups.
Since this has been submitted as bug for Microsoft, it may be resolve in the future releases. At meantime, you may consider to upgrade you Windows 2003 Domain Functional Level to 2008 version if you need to resolve the issue or ask your end users to login to the site at least once. I was thinking to develop a script to login all users on the site automatically, but since it will mass up the auditing, I have on hold the though at this time.
If you have any better idea, please let me know.