Connection from NSX manager to SSO fails when authenticated using the LocalOS user
book
Article ID: 342970
calendar_today
Updated On:
Products
VMware NSX NetworkingVMware vSphere ESXi
Issue/Introduction
Symptoms:
Connection from NSX manager to SSO fails when authenticated using the LocalOS user, you may see an error similar to: Could not establish communication with NSX Manager. Please contact administrator.
Deploying Edge fails, you may see an error similar to: Did not receive successful HTTP response: status code = 403, status message = [Forbidden].
In the NSX Manager logs, you see entries similar to:
2017-03-27 09:25:30.702 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 URLAccessFilter:49 - Got URL http://102.192.185.245/remote/api/EdgeFacade
2017-03-27 09:25:30.702 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 URLAccessFilter:54 - Path prefix /api/3.0/edges
2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 AbstractPreAuthenticatedProcessingFilter:87 - Checking secure context token: null
2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 PreAuthenticationFilter:70 - No client certificate found in request.
2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 PreAuthenticationFilter:70 - No client certificate found in request.
2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 AbstractPreAuthenticatedProcessingFilter:108 - No pre-authenticated principal found in request
2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 CacheAuthenticationProvider:59 - Exception was thrown while authenticating using : com.vmware.vshield.vsm.security.service.impl.UsernameVcSessionCacheAuthenticator
org.springframework.security.authentication.BadCredentialsException: Bad Username or Credentials presented.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX for vSphere 6.3.x VMware NSX for vSphere 6.2.x VMware NSX for vSphere 6.4.x VMware vSphere ESXi 6.0
Cause
When a request comes to NSX manager, it relies on VCSESSION value in request header to fetch out user name and vc session id. Username pattern is always username@domain. When you use custom localos domain i.e. other than @localos, only username is fetched in VCSESSION. When there is no domain in request, VCAuthenticationProvider assumes domain as @localos and tries to fetch role for username@localos which is not present in the role mappings, causing authorization and communication errors.
Resolution
This issue is resolved in VMware NSX for vSphere 6.4.0, available at VMware Downloads.
To work around this issue if you do not want to upgrade, add the role for nsxmanager@localos as Enterprise Admin as well along with role for nsxmanager@domain if it exists.