In Jenkins the LDAP plugin is configured to talk to an Active Directory server for user authentication. In addition we use the Matrix Authorization plugin to configure access to jobs.

When a user first logs in everything looks fine. The whoAmI page shows the "authenticated" authority in addition to groups and roles. After a while (about an hour) [1], however, some users are no longer granted the "authenticated" authority. While they are still logged in, they will receive an "access denied" error, when trying to perform an action for which permission is granted to the "authenticated" group.

Almost all our jobs require the user to log in, while accessing general build information is also granted to anonymous users.

[1] I believe an hour is the idle time out when not using the "remember me" feature. However, I've also seen it happen when a user does not log out on a laptop. Next day, when visiting Jenkins web interface again, the user is still logged in, but not sufficiently authorized.