I have problem with group membership resolution for users, that are members of high number of AD groups (about 500 local and global AD groups).
In our environment we grant VM users role to application admins.
Every VM has its own domain group, where are app admins placed and VM user role is granted. Users with membership in high number of AD groups see only part of their VMs in vSphere Client.
Users with less group membership see all their VMs.
vCenter Server 5.1 running on Windows 2k8 R2 server (member of AD)
ESXi 5.1 hosts and about 600 VMs
1 Active Directory, MaxTokenSize set to maximum - 64k
This is a Limitation in Vcenter 5.1 environment. It supports only 500 groups, It queries in first 500 groups only.
Disclaimer: I can not proove at the moment, But i faced the same issue and we used the workaround by providing access to the user directly on Vcenter.
Please go through below articles, may be useful
VMware KB: Cannot log in to vCenter Server using the domain username/password credentials via the vS...
VMware KB: Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On in a mul...
If vCenter Server is at least 5.1 U1 you might want to look into the following.
VMware KB: Supported vCenter Single Sign-On 5.5 configuration and interoperability with vSphere 5.1
SSO 5.5 lifts some of the limitations that you are experiencing with SSO 5.1