We recently migrated to ZCM 10.2 from ZfD 7, and all seems to be going well minus this one baffling problem:

We have a very simple tree, with our main administrative users residing in the root context and all users residing in role-specific sub-contexts. Said administrative users all have aliases in each of our sub-contexts.

All of our users can login to the ZCM adaptive agent, but nobody in the root context can. We simply get an error that the user is not found and/or there is a certificate problem (which can't be the case, since users login without incident).

Are we breaking some fundamental rule by keeping our admin use in the root context, or is there some way to allow these users to login to ZCM without creating a dedicated sub-context for them?

Thanks in advance for any assistance that you can offer.