NSX-T IDFW rules not being hit when user and the VM where that user logs in belong to different Windows domains, and they have LOCAL group membership rights
searchcancel
NSX-T IDFW rules not being hit when user and the VM where that user logs in belong to different Windows domains, and they have LOCAL group membership rights
book
Article ID: 330456
calendar_today
Updated On: 07-31-2022
Products
VMware NSX
Issue/Introduction
Symptoms: IDFW rules even when properly configured are not matched.
VDI desktop computers are in domain A, while logged in user is in domain B.
There are some rights given to the user under LOCAL group membership.
Environment
VMware NSX-T Data Center
Cause
Cross domain authentication only works properly when users are members of domain GLOBAL groups instead of domain LOCAL groups.
Resolution
Group memberships are only recognized when user and computer are in the same domain for all types of groups.
In setups where computer and user are part of different domains, domain GLOBAL groups must be used to ensure proper enforcement of rules.
Workaround:
Promote domain LOCAL groups to domain GLOBAL, or ensure computer and user are in the same domain for all types of groups.