While working at a customer site with a pretty decent size Active Directory where they have implemented an Empty root structure, vCAC login through Single Sign On when using Active Directory accounts were pretty slow. It took up to 10-15 minutes at time per login attempt.
The customer had a multitiered domain in a single forest. The top domain/root domain or if you want to call it level 1 domain was empty, where all the users and where vCAC users were coming from is the level 2 domain. What was happening is when a user of the level 2 domain try to login he was facing one of the below two problems:
1- If the user does not have any group membership outside the level 2 domain, they were allowed to login, but it took quite a bit for the login attempt to complete. (10-15 minutes)
2- If the user has any group membership or any tie outside the level 2 domain, after the log on attempt, the progress bar on the log on page will stop and nothing will happen.
At first, I thought I might be short at resources on my SSO server so I boosted that up, while it speeded things a bit it was not too noticeable of improvement and I knew there was a bit more work to do. After doing a bit of digging with other resources within VMware, I was told that in particular use cases (Due to the way customers Active Directory being structured) that adding one of the following port numbers to the end of the identity source could help speed the login dramatically. The list of the ports I was provided was: 3268 (Highest Rate of success & the one I end up using), 636, and 389. While I tried using each of these, the 3268 seems to give me the best improvement and my login has became blazing fast afterward. The below screen shot shows my final identity store configuration:
Another tip that I want to add to this, try to make sure the domain controller that you are pointing to is an Active Directory Global Catalog. At last, I hope everyone can now enjoy a blazing fast login to vCAC. Please leave your comment of how did this tip worked out for you, or if you have found a different tip that worked for you.