NSX-T IDFW rules are not working as expected
search cancel

NSX-T IDFW rules are not working as expected


Article ID: 324238


Updated On:


VMware NSX Networking


  • NSX-T 3.1.0/3.1.1/3.1.2/
  • On the NSX UI, the source VM is not populated in the effective members of the AD Group after an AD user logs onto the source VM.
  • The AD user's Distinguished Name (dname) contains a special character.
  • NSX Manager log /var/log/proton/nsxapi.log has the logon event but the user is not mapped to any group
2021-05-17T19:54:24.469Z  INFO IDFW-Vertical1 UserToParentGroupsCache 5573 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Loading user from LDAP: CN=Doe\, John (VDI User),OU=corp,DC=local
2021-05-17T19:54:25.385Z  INFO IDFW-Vertical1 IdfwEventProcessorImpl 5573 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1/1: no mapping to add, none of user's parent AD-group(s) are in any NSGroup


VMware NSX-T Data Center 3.x
VMware NSX-T Data Center


Active Directory requires that the following ten characters be escaped with the backslash "\" escape character if they appear in any of the individual components of a distinguished name:
  • Comma     ,
  • Backslash character     \
  • Pound sign (hash sign)     #
  • Plus sign     +
  • Less than symbol     <
  • Greater than symbol     >
  • Semicolon     ;
  • Double quote (quotation mark)     "
  • Equal sign     =
  • Leading or trailing spaces     
Due to a processing issue, these characters are not handled correctly.
This prevents the user being matched to the AD Group, in turn no translation occurs to map the login with the Grouping object and the IDFW rule will not be applied.


This issue is resolved in NSX-T Data Center 3.1.3, available from VMware Downloads.

If an upgrade is not possible, the only workaround is to create a new user that does not use the special characters in its dname or edit an existing users to remove those characters.