LDAP users cannot log into NSX-T UI or are automatically logged out after 5 minutes when AD has alternative UPN
Article ID: 324177
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
example.com
example.net
- Prior to NSX-T Data Center 3.1.2, an LDAP user may log into the UI successfully however the user is automatically logged out after 5 minutes. The UI displays the error "The credentials were incorrect or the account specified has been locked."
- On NSX-T Data Center 3.1.2 and above, an LDAP user may fail to log in to the NSX UI with the following error "No LDAP identity sources with a domain_name or alternative_domain_name matching XXXXX were found."
- The AD configuration is comprised of a main domain and an alternative UPN suffix e.g.
example.com
example.net
- The behaviour is observed If there is a user [email protected] and they attempt to login as [email protected].
Environment
VMware NSX-T Data Center
Cause
Prior to NSX-T Data Center 3.1.2, if LDAP has not been configured correctly on NSX-T and [email protected] attempts to login as [email protected] then the login will authenticate but after 5 minutes the user will be automatically logged out. On NSX-T 3.1.2 and above, NSX-T behaviour was changed to prevent such a login when the alternate domain name had not been configured correctly.
Resolution
This issue is resolved in NSX-T Datacenter 3.1.2.0.
Workaround:
To allow users login with alternative UPN, LDAP should be configured with alternative subdomains.
In this case of a primary example.com and example.net, the following configuration should be used.
1) Add AD example.com
2) Configure the alternative domain names "example.net"
Workaround:
To allow users login with alternative UPN, LDAP should be configured with alternative subdomains.
In this case of a primary example.com and example.net, the following configuration should be used.
1) Add AD example.com
2) Configure the alternative domain names "example.net"
Feedback
Yes
No
Powered by
