When a user belongs to more than 10 member groups in Active Directory, VIP Enterprise Gateway will only send the first 10 values to the VPN Gateway. This causes the VPN gateway (i.e., Cisco ASA) to reject the user.
By default, the number of responses for getting an attribute value is set to 10.
<VIPEG Install folder>\Validation\servers\<Validation server name>\conf
.server.max_attribute_in_response=
to match or exceed the number of groups that users are a part of. The validation response should now show more than 10.