LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has subdomains
search cancel

LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has subdomains

book

Article ID: 324162

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • Prior to NSX-T Data Center 3.1.2, an LDAP user may log into the UI successfully however the user is automatically logged out after 5 minutes. The UI displays the error "The credentials were incorrect or the account specified has been locked."
  • On NSX-T Data Center 3.1.2 and above, an LDAP user may fail to log in to the NSX UI with the following error "No LDAP identity sources with a domain_name or alternative_domain_name matching XXXXX were found."
  • The AD configuration is comprised of subdomains e.g.
  example.com
  emea.example.com
  americas.example.com
 
  [email protected] can login without issues
  [email protected] experiences the issue described in this article


Environment

VMware NSX-T

Cause

This behaviour is observed when integrating NSX-T for LDAP authentication with an Active Directory (AD) environment where the forest is comprised of multiple subdomains.

Resolution

This is a known issue affecting NSX-T Data Center.

Workaround:
In such cases, NSX-T should be configured to connect to the AD Global Catalog (GC) of the primary domain and then each subdomain should be configured as an alternative domain name for that configuration.
The Global Catalog service usually runs on the primary AD domain controllers, and is a read-only copy of the most important information from all the primary and secondary domains.
The GC service runs on port 3268 (plaintext) and 3269 (LDAP over TLS, encrypted).

For example, if the primary domain is "example.com" and with subdomains "americas.example.com" and "emea.example.com"

1) Add AD example.com using either the LDAP protocol on port 3268 or the LDAPS protocol on port 3269
2) Configure the alternative domain names "americas.example.com" and "emea.example.com"


image.png


image.png


Users in one of the subdomains must log in using the appropriate domain in their login name.
For example, user2 in the emea.example.com domain must log in with the username "[email protected]".