ESM is configured to use Active Directory for authentication. One or more Active Directory groups are correctly added to ESM. A particular user is a member of one or more of the groups that are configured in ESM. When the particular user attempts to log in, they receive a message that says “You do not have the required permissions to access the Enterprise Surveillance Manager.”
*Please note: Active Directory changes may take a while to replicate.
ESM has to be able to do is look up a user's token using S4U2Self Kerberos Extensions.
Open Internet Information Services (IIS) Manager
Select “Application Pools”
Note which Identities are being used to run the application pools for ESM. If the application pools are running as “NetworkService”, then they will authenticate to the domain using the servers Active Directory machine account, which is usually the NetBIOS name of the machine followed by a dollar sign ($).
Open Active Directory Users and Computers
Add a new universally scoped security group to the domain (ex: ADTokenReaders).
Add the application pool Identities (noted earlier) to the group.
Open ADSI Edit
Find the top level tree node which contains all users. This may be the domain node itself, or you may be able to specify a lower level node if the users are all underneath it. For simplicity, it is recommended to use the top level node.
Right Click > Properties > Security > Advanced > Add > “ADTokenReaders”
Check “List contents”, “Read all properties”, “Read permissions”, “Apply these permissions to …”
You can also try following the directions in this Microsoft knowledge base. They explain which groups should already have these permissions, based on how and when the domain was created.