An active directory group exists that contains more than 4000 groups.
When a user who is in a group checks to see if they belong to this group using the function vas_auth_check_client_membership_with_server_id the function reports the user is not in the group.
This causes authorization failure if mod_auth_vas is used.
Use either of the following 2 commands:
Both of these query the group list from AD, without the user's PAC, thus allowing for the complete list of groups to be returned if more than 1500.