This is a known issue affecting VMware NSX-T Data Center 3.1.x.
Issue is resolved in the release of VMware NSX-T Data Center 3.1.2.
Workaround:
To work around this issue, change the BaseDN so that fewer entries are searched when resolving the groups that a user belongs to.
Note: For users who are part of many groups, consider creating an alternative LDAP identity for that user to use when logging into NSX. Only include that user in the groups needed to allow the user to log into NSX.
If you have a large Active Directory configuration, you can use these steps prior to upgrading to determine if this issue is applicable to your environment.
Before upgrading to VMware NSX-T Datacenter 3.1 or 3.1.1:
- Download and install the Microsoft Remote Server Administrator Tools. For more information, see:
Remote Server Administrator Tools For Windows 10
Remote Server Administrator Tools For Windows 8
Remote Server Administrator Tools For Windows 8.1
For instructions on using the tool, see Remote Server Administration Tools (RSAT) for Windows.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
- Once installed, open a command shell on a computer that has joined to your Active Directory (AD) domain and run this command:
dsquery user -upn <your_UPN>
where <your_UPN> is the userPrincipalName you use to log in, typically "[email protected]".
The output of the command will be your full Distinguished Name (DN). Run this command and make a note of how long it takes to complete and display the command prompt again:
dsquery * -filter "member:1.2.840.113556.1.4.1941:=<your DN>"
For example:
dsquery * -filter "member:1.3.840.123456.1.4.1949:=CN=John Doe,OU=Users,OU=SanDiego_California_USA,OU=NA,OU=SITES,DC=example,DC=com"
Notes:
- The string "1.3.840.123456.1.4.1949" is the OID for the Microsoft LDAPv3 Extensible Match LDAP_FILTER_IN_CHAIN and is how you request that AD work out nested group membership on the server side.
- If this command takes more than ten seconds to complete, then the user/group structure of your AD is sufficiently complex that NSX login will be very slow or will time out. VMware recommends to not upgrade to NSX-T Datacenter version 3.1 or 3.1.1 at this time.