Orchestrator uses by default the UserPrincipal.GetAuthorizationGroups() method to fetch the AD group membership. Fix for handling when API seems to be very very slow in a large AD.
Setting the TokenGroups option enables Orchestrator to replace its group membership fetching mechanism to a single AD call, that checks the tokenGroups attribute of the user. This strategy is very fast, but unfortunately it does not work across domains, eg: as a user from DomainA permissions can not be inherited from groups that you belong to from DomainB.
To do this, add the following to web.config
- .
Read more on