An Error Occurred While Trying To Safely Select An Item

Orchestrator uses by default the UserPrincipal.GetAuthorizationGroups() method to fetch the AD group membership. Fix for handling when API seems to be very very slow in a large AD.

Setting the TokenGroups option enables Orchestrator to replace its group membership fetching mechanism to a single AD call, that checks the tokenGroups attribute of the user. This strategy is very fast, but unfortunately it does not work across domains, eg: as a user from DomainA permissions can not be inherited from groups that you belong to from DomainB.


To do this, add the following to web.config

  • .

Read more on