Hi Folks,

I am facing problems with nested group membership on my newly installed VCSA 6.0 ( Embedded Mode ).

I have joined the appliance to AD in the Root domain. I am observing the following scenarios.

1) I have added the Root domain as Active Directory ( Integrated Windows Authentication ) identity source. So, the users from the root domain and child domains are able to login to vCenter if added explicity by their user ids. However if the user is in child domain but a member of group in Root or Child domain is unable to login if permission on vCenter is defined for these groups.

2) I have added the Root domain as Active Directory ( Integrated Windows Authentication ) AND each child domain as Active Directory as an LDAP server Identity sources. So, the users from the root domain and child domains are able to login to vCenter if added explicity by their user ids. If the user is in child domain but a member of group in the same Child domain is able to login if permission in vCenter is defined for this group. However if a user is in child domain but it is a member of a group in Root domain is unable to login if permission in vCenter is defined for this group in Root Domain.

Example :-

The following are letters used to refer different domains.

Root Domain = R

Child Domains= A,B,C and D.

1 ) User1 ( Domain A ) -- > member of Group1 ( Domain A ) - Able to Login.

2) User1 ( Domain A ) --> member of Group 2 ( Domain R ) - Unable to login.

Is there anything wrong with the configuration or I am missing something?

Please share your feedback. Thanks in advance.