• With NSX-T it is possible to use vIDM for authentication the NSX-T manager.
• When you try to use a vIDM user with the correct permissions to run REST API calls these may fail.
• You are able to successfully log into the NSX-T manager with the same user you are using for REST API calls and make changes.
• The NSX-T manager is configured to use vIDM, the vIDM setup is configured with a connector and a vIDM server.

Below is a sample REST API query and the results you may see:

# curl  --header "Authorization: Remote bnN4YWRtaW5AY#################==" --insecure -s --request GET https://<nsx-mgr>/api/v1/logical-ports

{

    "module_name" : "common-services",

    "error_message" : "The credentials were incorrect or the account specified has been locked.",

    "error_code" : "403"

}

• VMware NSX

• This happens when there is a separate connector server and a vIDM server configured.
• The vIDM server does not trust the CA certificate of the connector server.

1. Enable Outbound Mode for the Connector, this means the you will not need to trust the connector certificate.
2. Details on how to achieve this can be found in the following official documentation:
   VMware Identity Manager Documentation

To install this certificate on vIDM:

1. In the vIDM server, login to the Admin Portal
2. Then go to Appliance Settings
3. Click on Manage configuration
4. Enter your vIDM system admin password
5. Select the Install SSL Certificates option on the left side bar
6. Select the Trusted CAs tab
7. Paste the connector certificate copied to the clipboard earlier in the Root or Intermediate Certificate text box
8. Then click Add.
   1. You will be presented with a warning:
9. Note: THIS OPERATION WILL RESTART YOUR VIDM SERVER SO MAY AFFECT CURRENT LOGGED IN USERS !
10. Click Ok.
11. Once the service restart is complete, the spinning wheel on the page should go away.

Please retry NSX-T API again.

Another possible cause for this behavior is if the NSX Manager date is behind the vIDM date.

• Check /var/log/proxy/reverse-proxy.log on the NSX Manager at time of failed authentication. 
• Example logging if NSX date is behind vIDM date:

  2022-05-10T17:00:00.688Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch information from vIDM Discovery Endpoint https://{vIDM hostname}/SAAS/auth/.well-known/openid-configuration
  
  2022-05-10T17:00:00.778Z  INFO https-jsse-nio-<IP>-443-exec-2 NsxTrustManager 30035 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Trust thumbprint of CN=##########,OU=######,O=### Inc.,C=##
  
  2022-05-10T17:00:00.862Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch public key from https://{vIDM hostname}/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=pem
  
  2022-05-10T17:00:00.904Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Validate access token locally: <token info>
  
  2022-05-10T17:00:00.905Z  WARN https-jsse-nio-<IP>-443-exec-2 CustomOidcAuthorizationCodeAuthenticationProvider 30035 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed
  
  2022-05-10T17:00:00.905Z ERROR https-jsse-nio-<IP>-443-exec-2 NsxBasicAuthenticationFilter 30035 - [nsx@6876 comp="nsx-manager" errorCode="MP60204" level="ERROR" subcomp="http"] error
  
  org.springframework.security.authentication.BadCredentialsException: Could not obtain user details from token
  
  Caused by: org.springframework.security.oauth2.common.exceptions.InvalidTokenException: Token has been issued in the future: <UNIX timestamp>