• NSX-T uses LDAP directly integrated for RBAC role assignment.
• Users that are part of a large number of AD groups, either directly or through nesting experience slow UI login.
• User may be able to login but is logged out automatically after a few minutes

• VMware NSX-T Data Center 3.x.
• VMware NSX 4.0.x, 4.1.x and 4.2.0.x

• Even though a user may be a direct member of a small number of AD groups, this may explode out to a large number with AD group nesting.
• As part of the login process, NSX-T does a full recursive lookup of nested groups.
• This is expensive from a timing perspective and results in a delayed login.

This issue is fixed in NSX 4.2.1 and higher, where NSX will only look up and expand groups that have been added to NSX, instead of all the groups the user belongs to.

Workaround:
To avoid slow login issues due to AD nesting, Broadcom recommends the following configuration limits:

• Maximum group nesting depth: 3.
• Maximum number of groups a user belongs to (including nested groups): 50.

Alternatively, use vIDM as an Identity Source for NSX-T.