Upon user login, username and users affiliation is queried against existing AD database. This is done using the specified ACTIVE_DIRECTORY_AUTH_USER (query-user) which serves as a proxy and queries the entered information against the existing database.

If the user exists in the AD, information about user groups and affiliation is transferred to Digizuite™ DAM Center and paired against groups marked as active AD groups, based on "Active Directory Group Name". If a match can be found, user is paired and allocated with groups in the Digizuite™ DAM Center similar to those in the AD-database.

Note: If the user is removed from existing AD groups, this will be reflected inside the Digizuite™ DAM Center.

Important – Especially for Windows Server 2008

Windows Authentication will not work unless the following registry changes are made:

• Click Start, click Run, type regedit, and then click OK.
• In Registry Editor, locate and then click the following registry key: _HKEY_LOCAL_MACHINE \ SYSTEM _ CurrentControlSet _\ Control _ Lsa
• Right-click Lsa, point to New, and then click DWORD Value.
• Type DisableLoopbackCheck, and then press Enter.
• Right-click DisableLoopbackCheck, and then click Modify.
• In the Value data box, type 1, and then click OK.
• Quit Registry Editor, and then restart server.

Read more: http://www.information-worker.nl/2009/06/23/disableloopbackcheck-on-windows-server-2008/