I actually got AD/DNN group synchronization working (wonder of wonders).  I had to ensure that the DNN role name EXACTLY matched the AD group name *including the domain*.  So rather than having a DNN role called Developers, I needed to create a role called MYDOMAIN\Developers.  I came across this when I saw that all new AD-sourced DNN accounts were being created with the domain name prefixed to the user name. 

Hope that helps.

I have a question...I went through all the steps up to un-commenting the web.config line, and I had set up a "Windows Logon" link on the main page...it's been working beautifully, but I wanted the auto-login now.  I uncommented the line, saved the file, and re-loaded, but we can't get the auto-login now.  It'll just act exactly the same as before.

Any ideas?

I have noticed that between portals if the roles are not replicated, rights will not function properly.  I'm not sure if this is an issue with DNN rights controls or with AD synch. 

Case:

• Both portal A & B use AD with Role Synch. 
• User is in both portals
• User is not admin in either site
• Portal B has Role "Blogger" with Blog module on one page, and rights to edit (create blogs) set for role "Blogger" only (admin defaults in of course)
• User signes in on portal A with AD credentials, then navigates to portal B
• Portal B is already synched with AD and user, so he does not have to log in again, but continues working
• On blog module, user can not create his blog - despite role assignment
• User checks membership and blogger role does not show (not sure if it should if not public)
• User logs off
• User logs back on to Portal B directly
• User then goes to blog page with module and can now edit/create his blog
• user logs off and returns back to Portal A to log in there
• User logs in portal A then navigates to Portal B
• again - user remains logged in as expected, but now does not have rights to blog

This implies that rights follow based on the portal logged into first (session). Not sure if this is by design with the new membership in 4.x, but this is what I observe.  Once I replicate the role of "Blogger" to Portal A, then everything works on teh blog module for his rights as expected, regardless of where he first logged in.  

This is an issue only in the fact that different portals will provide different roles for each user (I assume).  I am thinking of turning off the role synch - since it doesn't really provide much in my case, and I have seen reported issues of non-AD roles getting stripped, but I have not seen that so far. 

Hope this helps.