• 15 minutes after logging into NSX with an AD user authenticated by VMware Identity Manager, the user is unauthenticated:

• A log messages similar to this example is observed in /var/log/proxy/reverse-proxy.log file on the NSX manager:
  
  

  ####-##-##T##:##:##.###Z INFO Processing request 0496c3fa-c263-49ad-a14a-b71de7fad89f OAuth2AuthenticationProvider 2936 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Failed to use SAMAccountName, attempting UserPrincipleName: Invalid credentials
  ####-##-##T##:##:##.###Z ERROR Processing request 5ba3cd65-####-####-####-##########02 SessionInvalidationFilter 2744 - [nsx@6876 comp="nsx-manager" errorCode="MP1" level="ERROR" subcomp="http"] Authentication validation failed.
  org.springframework.security.authentication.BadCredentialsException: Invalid credentials
          at com.vmware.nsx.management.rp.security.oauth2.OAuth2AuthenticationProvider.attemptAuthentication(OAuth2AuthenticationProvider.java:140) ~[libreverse-proxy-compile.jar:?]
          at com.vmware.nsx.management.rp.security.oauth2.OAuth2AuthenticationProvider.authenticate(OAuth2AuthenticationProvider.java:125) ~[libreverse-proxy-compile.jar:?]
          at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.6.9.jar:5.6.9]
          at com.vmware.nsx.management.rp.security.SessionInvalidationFilter.validateSession(SessionInvalidationFilter.java:153) ~[libreverse-proxy-compile.jar:?]
          at com.vmware.nsx.management.rp.security.SessionInvalidationFilter.doFilter(SessionInvalidationFilter.java:97) ~[libreverse-proxy-compile.jar:?]
  ..
  Caused by: org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException: Access token denied.
  ..
  Caused by: org.springframework.security.oauth2.common.exceptions.InvalidGrantException: Invalid username or password
  ..
  ####-##-##T##:##:##.###Z ERROR Processing request 5ba3cd65-####-####-####-##########02 NsxRestAuthenticationEntryPoint 2744 - [nsx@6876 comp="nsx-manager" errorCode="MP403" level="ERROR" subcomp="http"] The credentials were incorrect or the account specified has been locked.

• Login is not via the local login page https://nsx-mngr.example.com/login.jsp?local=true. While a vIDM user can login using the local link, it is not supported. vIDM users should log in via the standard redirect link for vIDM.
• In the Identity Manager UI under Dashboard -> Reports -> Audit events you see PASSWORD_LOCKEDOUT failed entries.
• The issue does not affect the NSX local admin account.
• The issue appears after upgrading NSX to version 4.1.1.x or above.

In NSX 4.1.1 there was a modification made to the NSX OAuth app in VIDM so that NSX won't issue as many refresh tokens.

This issue is resolved in VMware NSX 4.1.2.5 and 4.2.0, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB. 

Note: The problem can still be observed on the fixed versions of NSX.

Workaround for the fixed versions and above:

To take advantage of the NSX code change, unconfigure and reconfigure vIDM for NSX.

Workaround for versions prior to the fixed version:

1. Login to the Identity manager's administrator console:
   
   https://<vidmFQDN>/SAAS/admin/
   
   
2. Navigate to the Catalog > Settings > Remote App Access
3. Locate the NSX Appliance name you supplied in NSX's vIDM config
4. Click on the NSX entry in the table to display the Configuration for its OAuth 2 Client. You should see Access Token Time-To-Live (TTL) set to 15 minutes.  
5. Click on EDIT next to the pencil icon and change the Access Token Time-To-Live value from 15 minutes to 16 hours.
6. Select Save to update the configuration.
   Note: This change will be OVERWRITTEN if vIDM configuration on NSX is updated in which case the steps can be performed again. Once implemented users will only need to re-enter their credentials every 16 hours (rather than 15 minutes)