• AD users from different sub domains that are added to a universal group are unable to log in to VCF Operations using vIDB
•  VCF 9.0  AD Users in an AD group are not 'synced' with vIDB so the user cannot login as vIDB did not 'pull them down'.
• When signing in with Cross-Domain AD user in VCF operations for Logs you may see the following error in the UI : "401 Not Authorized Sorry, you are not authorized to view this page"
• In VCF operations for Logs you may see the following error in the /storage/core/loginsight/var/ui_runtime.log :  

  [2026-03-02 12:01:29.268+0000] ["https-openssl-apr-443-exec-10"/###.###.###.### ERROR] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Error generating AD Group autocomplete list] com.vmware.loginsight.rbac.RBACException: No groups with prefix ##### found in domain ######

• VCF Operations 9.0.x
• VCF Operations for Logs 9.0.x
• VCF Identity Broker 9.0.x

vIDB uses the dn= portion of the Distinguished Name of the universal group when configuring the base search path for the LDAP query that searches for the group's members. This results in any member of the group who is not a member of the same subdomain that the universal group is a member of (or its child domains) will not be discovered via the LDAP search as members of the group.

The Broadcom engineering team is aware of this limitation and will update the behavior in a future release of VCF Identity Broker.

Workaround

• Option 1 - Create the universal group in the parent domain and add members from all child subdomains to the group in the parent domain.
• Option 2 - Create a separate group in each subdomain and import each group separately into VIDB.