I've been going crazy trying to figure out why this scenario is not working. I have setup a new VCSA 6.5 server and joined it to AD and then I added an Active Directory (Integrated Windows Authentication) identity source. I then added an AD group that contains the AD user accounts I want to grant access to the vsphere.local Administrators group. I am unable to login with any of the accounts in the AD group but if I add the individual AD user account into the vsphere.local Administrators group I am able to login with that AD account. It almost seems like the VCSA doesn't know how to handle and parse down into an AD group.
I've tried removing the identity source, disjoin from AD and rejoin and re-add the identity source to no avail. I was going to try Active Directory as an LDAP server but I couldn't get it to add no matter what settings I tried and I know the LDAP setting are correct because I use the same settings on another application I have that does LDAP authentication.
What is even more puzzling is that I had setup a test VCSA 6.5 server to document the exact procedure to follow when I setup this new VCSA 6.5 server and my test VCSA 6.5 server works with the AD groups as expected.
Any suggestion is appreciated as I don't think I missed anything or did I?
In previous versions SSO didnt like mixing different SSO sources along with nested groups as per the article below. It doesn't explicitly mention 6.5 and doesn't explain why it worked previously but I just did a quick test and seemed to get the same behaviour...
I saw this KB and thought about it and it would seem according to the KB that it shouldn't work but what is puzzling is that somehow it works for one of my VCSA 6.5 and I can't understand how it works for one VCSA and not the other. I literally created and setup both at the same time with exact same steps and the order I did them in.