Symptoms:

• Prior to NSX-T Data Center 3.1.2, an LDAP user may log into the UI successfully however the user is automatically logged out after 5 minutes. The UI displays the error "The credentials were incorrect or the account specified has been locked."
• On NSX-T Data Center 3.1.2 and above, an LDAP user may fail to log in to the NSX UI with the following error "No LDAP identity sources with a domain_name or alternative_domain_name matching XXXXX were found."
• The AD configuration is comprised of subdomains e.g.

VMware NSX-T

This behaviour is observed when integrating NSX-T for LDAP authentication with an Active Directory (AD) environment where the forest is comprised of multiple subdomains.

This is a known issue affecting NSX-T Data Center.

Workaround:
In such cases, NSX-T should be configured to connect to the AD Global Catalog (GC) of the primary domain and then each subdomain should be configured as an alternative domain name for that configuration.
The Global Catalog service usually runs on the primary AD domain controllers, and is a read-only copy of the most important information from all the primary and secondary domains.
The GC service runs on port 3268 (plaintext) and 3269 (LDAP over TLS, encrypted).

For example, if the primary domain is "example.com" and with subdomains "americas.example.com" and "emea.example.com"

1) Add AD example.com using either the LDAP protocol on port 3268 or the LDAPS protocol on port 3269
2) Configure the alternative domain names "americas.example.com" and "emea.example.com"








Users in one of the subdomains must log in using the appropriate domain in their login name.
For example, user2 in the emea.example.com domain must log in with the username "[email protected]".