I've seen such issues before.
Usually adding Identity Source as "AD as an LDAP server" helps. Let me know if this helps.
Please mark my comment as the Correct Answer if this solution resolved your problem
During my research I also ran across forum postings saying that using LDAP would work. It is just frustrating because we have 5 other VCSAs that do no have this problem. This particular VCSA resides in the same subnet as the DC that it would be communicating with, so there are no firewalls causing issues.
If I cannot find a solution by Tuesday, then I will try the LDAP solution. Not ideal, as it would be configured differently than the rest of the environment.
just try one more time disjoin vcsa from domain and re added ( reboot required) , check domain and vcsa time synchronization ,
Did you get IWA working or had to use "AD as an LDAP server"
Tried the dis-join and rejoin. Did it using the GUI then shell. Same result.
Went through the hassle and set up the LDAP and it works. No victory for me, now I need to document this as it is different from all the other VCSAs in the environment.
So it works, I am just not happy about the implementation.
The answer is if user groups do not work using AD Integration then use LDAP.