Short version: Does the AD group type (universal, global or domain local) have any bearing on role derivation in CPPM? User is in a global group "elementary" which is then part of domain local group "Employees". I keep getting failures to authenticate because CPPM does not indicate the user is in "Employees" but AD clearly shows that it is there. The user in question does show up in the groups he is directly added to but not the nested group (in CPPM details). SubTree Search is turned on for the AD authentication source.
I've done this before at a previous job but I had no access to AD at that location. I suspect it doesn't matter but I could be wrong.