After spending all day on this, it seems that the windows providers allow you to specify groups with the domain prefix (eg, MyDomain\MyGroup)... where the AD providers seem to just expect the group name. I found it by accident. Replacing all of MyDomain\MyGroup with simply MyGroup in web.config seems to have allowed the basic CMS security to work.
Next, on to Community....
You can actually specify groups without prefix also with the Windows provider, given that you make use of the deletePrefix attribute on the membership provider :)
I need to use LDAP authentication for EPiServer, but I'm having issues. The Windows(Role|Membership)Provider(s) work great, but as soon as I swap to the active directory versions, when I try to log in to CMS admin, my username/password is accepted (I'm authenticated), but I'm immediately directed back to the login (which I assume means the system thinks I am not authorized).
I found the following blog post. Can anyone tell me if this is still true of CMS7? Do I have to strip the domain from the membership provider in order to get an LDAP solution to work?
My connection settings for the role/membership providers are exactly the same. I'm using attributeMapUsername="sAMAccountName". What else do I look for?