NSX-T IDFW rules not being hit when user and the VM where that user logs in belong to different Windows domains, and they have LOCAL group membership rights
search cancel

NSX-T IDFW rules not being hit when user and the VM where that user logs in belong to different Windows domains, and they have LOCAL group membership rights

book

Article ID: 330456

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
IDFW rules even when properly configured are not matched.

VDI desktop computers are in domain A, while logged in user is in domain B.

There are some rights given to the user under LOCAL group membership.

Environment

VMware NSX-T Data Center

Cause

Cross domain authentication only works properly when users are members of domain GLOBAL groups instead of domain LOCAL groups.

Resolution

Group memberships are only recognized when user and computer are in the same domain for all types of groups.

In setups where computer and user are part of different domains, domain GLOBAL groups must be used to ensure proper enforcement of rules.


Workaround:

PromoteĀ domain LOCAL groups to domain GLOBAL, or ensureĀ computer and user are in the same domain for all types of groups.


Additional Information

Impact/Risks:
Intended IDFW rules will not match.