REST API calls using a vIDM user fail in NSX-T
search cancel

REST API calls using a vIDM user fail in NSX-T

book

Article ID: 319104

calendar_today

Updated On: 06-09-2025

Products

VMware NSX

Issue/Introduction

  • With NSX-T it is possible to use vIDM for authentication the NSX-T manager.
  • When you try to use a vIDM user with the correct permissions to run REST API calls these may fail.
  • You are able to successfully log into the NSX-T manager with the same user you are using for REST API calls and make changes.
  • The NSX-T manager is configured to use vIDM, the vIDM setup is configured with a connector and a vIDM server.


Below is a sample REST API query and the results you may see:

# curl  --header "Authorization: Remote bnN4YWRtaW5AY#################==" --insecure -s --request GET https://<nsx-mgr>/api/v1/logical-ports

{

    "module_name" : "common-services",

    "error_message" : "The credentials were incorrect or the account specified has been locked.",

    "error_code" : "403"

}



Environment

  • VMware NSX

Cause

  • This happens when there is a separate connector server and a vIDM server configured.
  • The vIDM server does not trust the CA certificate of the connector server.

Resolution

To work around this issue you will need to make the vIDM server trust the CA from the connector server.

Workaround:
  1. Enable Outbound Mode for the Connector, this means the you will not need to trust the connector certificate.
  2. Details on how to achieve this can be found in the following official documentation:
    VMware Identity Manager Documentation
If this still having issues after setting Enable Outbound Mode for the Connector, you may need to manually trust the connector certificate in vIDM:
  1. Run the following commands from a Linux shell:
    openssl s_client -connect your-connector-ip:443
  2. Where your-connector-ip is either your connector IP address or resolvable hostname. 
  3. This should return a long output which includes the certificate. 
  4. Select everything between the below lines, include the BEGIN and END lines of the certificate and copy to your clipboard:
    -----BEGIN CERTIFICATE-----
    MIIG....XdvA0
    -----END CERTIFICATE-----

To install this certificate on vIDM:

  1. In the vIDM server, login to the Admin Portal
  2. Then go to Appliance Settings
  3. Click on Manage configuration
  4. Enter your vIDM system admin password
  5. Select the Install SSL Certificates option on the left side bar
  6. Select the Trusted CAs tab
  7. Paste the connector certificate copied to the clipboard earlier in the Root or Intermediate Certificate text box
  8. Then click Add.
    1. You will be presented with a warning:
  9. Note: THIS OPERATION WILL RESTART YOUR VIDM SERVER SO MAY AFFECT CURRENT LOGGED IN USERS !
  10. Click Ok.
  11. Once the service restart is complete, the spinning wheel on the page should go away.

Please retry NSX-T API again.

Additional Information

Another possible cause for this behavior is if the NSX Manager date is behind the vIDM date.

  • Check /var/log/proxy/reverse-proxy.log on the NSX Manager at time of failed authentication. 
  • Example logging if NSX date is behind vIDM date:
    2022-05-10T17:00:00.688Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch information from vIDM Discovery Endpoint https://{vIDM hostname}/SAAS/auth/.well-known/openid-configuration

    2022-05-10T17:00:00.778Z  INFO https-jsse-nio-<IP>-443-exec-2 NsxTrustManager 30035 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Trust thumbprint of CN=##########,OU=######,O=### Inc.,C=##

    2022-05-10T17:00:00.862Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch public key from https://{vIDM hostname}/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=pem

    2022-05-10T17:00:00.904Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Validate access token locally: <token info>

    2022-05-10T17:00:00.905Z  WARN https-jsse-nio-<IP>-443-exec-2 CustomOidcAuthorizationCodeAuthenticationProvider 30035 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed

    2022-05-10T17:00:00.905Z ERROR https-jsse-nio-<IP>-443-exec-2 NsxBasicAuthenticationFilter 30035 - [nsx@6876 comp="nsx-manager" errorCode="MP60204" level="ERROR" subcomp="http"] error

    org.springframework.security.authentication.BadCredentialsException: Could not obtain user details from token

    Caused by: org.springframework.security.oauth2.common.exceptions.InvalidTokenException: Token has been issued in the future: <UNIX timestamp>