Using users from Active Directory to sign in to Websites

Hi,

Is there any possibility to control which user can access websites using a user list from Active Directory? I have an OS X Server that is bound to Active Directory and Open Directory. Everything else seems to be working fine - I can browse AD users and AD groups in Server.app, I can use any AD user in Profile Manager for example, but when it comes to setting Who Can Access website it only works with OD user. I think I've tried almost everything, even nesting AD usergroup in OD usergroup and it failed.

In apache error_log it says something like this:

[Fri Mar 29 11:27:59 2013] [error] [client 10.232.43.247] mod_digest_apple: Unable to authenticate for URI "/" from user "u272086" for realm "Browse access /Library/Server/Web/Data/Sites/Default"

[Fri Mar 29 11:27:59 2013] [error] [client 10.232.43.247] mod_digest_apple: Authentication failed (details unavailable)

When I look into system.log I can see an error:

Mar 29 11:55:39 <computer_name> kernel[0]: Sandbox: sandboxd(2888) deny mach-lookup com.apple.coresymbolicationd

Mar 29 11:55:39 <computer_name> sandboxd[2888] ([2887]): rpcsvchost(2887) deny file-read-data /private/etc/krb5.conf

Please help

Best regards.