LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has alternative UPN
search cancel

LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has alternative UPN

book

Article ID: 324177

calendar_today

Updated On: 02-17-2025

Products

VMware NSX-T Data Center

Issue/Introduction

  • Prior to NSX-T Data Center 3.1.2, an LDAP user may log into the UI successfully however the user is automatically logged out after 5 minutes. The UI displays the error "The credentials were incorrect or the account specified has been locked."
  • On NSX-T Data Center 3.1.2 and above, an LDAP user may fail to log in to the NSX UI with the following error "No LDAP identity sources with a domain_name or alternative_domain_name matching XXXXX were found."
  • The AD configuration is comprised of a main domain and an alternative UPN suffix e.g.
      example.com
      example.net
  •  The behavior is observed If there is a user user@example.net and they attempt to login as user@example.com.




Environment

VMware NSX-T Data Center

Cause

Prior to NSX-T Data Center 3.1.2, if LDAP has not been configured correctly on NSX-T and user@example.net attempts to login as user@example.com, then the login will authenticate but after 5 minutes the user will be automatically logged out.

On NSX-T 3.1.2 and above, NSX-T behavior was changed to prevent such a login when the alternate domain name had not been configured correctly.

Resolution

This issue is resolved in NSX-T Datacenter 3.1.2.0.

Workaround:
To allow users login with alternative UPN, LDAP should be configured with alternative subdomains.

In this case of a primary example.com and example.net, the following configuration should be used.

1) Add AD example.com
2) Configure the alternative domain names "example.net"

image.png