This usually happens when a domain can not be found where the user is part of a group of.
How are your identity sources set up? Integrated Windows Authentication or AD over LDAP?
Does it work with a freshly created test user that is not part of any groups?
How complex is your AD structure? Child domains, Forest domains etc.