When users belong to multiple nested Active Directory groups, you experience these symptoms:

• Authentication with Active Directory credentials is slow.
• This issue occurs when the <ad-nested-groups value="true" /> configuration option is specified as described in Custom Active Directory configuration for VMware vRealize Log Insight (2079763).

VMware vRealize Log Insight 2.0 and later supports integration with Active Directory for authentication. By default, Log Insight retrieves direct group membership of users when applying authorization policies.

The configuration option <ad-nested-groups value="true" /> enables traversal of all nested groups.

When Log Insight is configured to traverse nested groups, it recursively retrieves information about every group in the tree that a user is eventually a member of, which may take multiple minutes in a large environment.

This is a known issue affecting VMware vRealize Log Insight 2.0, 2.5, and 3.0.

This issue is resolved in Log Insight 3.3 build 3571626, released 2016-03-01. New installations and upgrades will leverage LDAP_MATCHING_RULE_IN_CHAIN to query nested group membership. For more information, see the release notes.

To work around this issue:

1. Create a new group for Log Insight users in Active Directory.
   
2. Add desired users as direct members of the newly-created group.
   
3. Disable nested group traversal by setting the configuration option <ad-nested-groups value="false" />.
   

• Custom Active Directory configuration for VMware vRealize Log Insight (2079763)
• Changing internal configuration options in VMware vRealize Log Insight (2123058)

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box..

For more information on nested groups in Active Directory, see the Microsoft TechNet article cc776499.

Note: The preceding link was correct as of November 26, 2015. If you find the link is broken, provide a feedback and a VMware employee will update the link.