LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has subdomains
search cancel

LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has subdomains

book

Article ID: 324162

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Prior to NSX-T Data Center 3.1.2, an LDAP user may log into the UI successfully however the user is automatically logged out after 5 minutes. The UI displays the error "The credentials were incorrect or the account specified has been locked."
  • On NSX-T Data Center 3.1.2 and above, an LDAP user may fail to log in to the NSX UI with the following error "No LDAP identity sources with a domain_name or alternative_domain_name matching XXXXX were found."
  • Verified from NSX manager logs (/var/log/proxy/reverse-proxy.log)
    2025-10-23T09:48:58.323Z  WARN Processing request 060c4511-6012-42b1-920e-8c889416d808 DelegatingLdapAuthProvider 74556 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Could not find a matching LDAP authentication provider for user UsernamePasswordAuthenticationToken [Principal=<username>@<domain-name>, Credentials=[PROTECTED], Authenticated=false, Details=WebAuthenticationDetails [RemoteIpAddress=X.X.X.X, SessionId=null], Granted Authorities=[]]. No LDAP identity sources with a domain_name or alternative_domain_name matching <domain-name> were found.
  • The AD configuration is comprised of subdomains e.g.
      example.com
      emea.example.com
      americas.example.com
     

      [email protected] can login without issues
      [email protected] experiences the issue described in this article

 



Environment

VMware NSX

Cause

This behavior is observed when integrating NSX for LDAP authentication with an Active Directory (AD) environment where the forest is comprised of multiple subdomains.

Resolution

This is a known issue affecting NSX.

Workaround
In such cases, NSX-T should be configured to connect to the AD Global Catalog (GC) of the primary domain and then each subdomain should be configured as an alternative domain name for that configuration.
The Global Catalog service usually runs on the primary AD domain controllers, and is a read-only copy of the most important information from all the primary and secondary domains.
The GC service runs on port 3268 (plaintext) and 3269 (LDAP over TLS, encrypted).

For example, if the primary domain is "example.com" and with subdomains "americas.example.com" and "emea.example.com"

1) Add AD example.com using either the LDAP protocol on port 3268 or the LDAPS protocol on port 3269
2) Configure the alternative domain names "americas.example.com" and "emea.example.com"








Users in one of the subdomains must log in using the appropriate domain in their login name.
For example, user2 in the emea.example.com domain must log in with the username "[email protected]".

Powered by Wolken Software