It's the group stuff. That will let the user log in, but not pull any groups, making the security policies not match. Once logged in with 'user', doing a show user ip-user-mapping ip x.x.x.x only shows: IP address: 192.168.1.10 (vsys1) User: domain.com\FLast From: CP Idle Timeout: 894s Max. TTL: 3583s MFA Timestamp: first(1) - 2018/09/05 11:02:37 Group(s): domain.com\FLast(225) while logging in with user@domain.com shows: IP address: 192.168.1.10 (vsys1) User: FLast@domain.com From: CP Idle Timeout: 896s Max. TTL: 3596s MFA Timestamp: first(1) - 2018/09/05 11:04:12 Group(s): FLast@domain.com(115260) domain\Flast(712) cn=administrators,cn=builtin,dc=ccboe,dc=com(2147483660) As well as the rest of the groups Currently publishing the change to have cap portal only user the 1 profile made for just 'user' like you showed, instead of the sequence. EDIT - Testing the portal with just the 1 profile that has userPrincipalName domain.com %USERINPUT%@%USERDOMAIN% resulted in the same behaiviour above without the groups.
... View more