Connection from NSX manager to SSO fails when authenticated using the LocalOS user
search cancel

Connection from NSX manager to SSO fails when authenticated using the LocalOS user

book

Article ID: 342970

calendar_today

Updated On:

Products

VMware NSX VMware vSphere ESXi

Issue/Introduction

Symptoms:

  • Connection from NSX manager to SSO fails when authenticated using the LocalOS user, you may see an error similar to:
    Could not establish communication with NSX Manager. Please contact administrator.
     
  • Deploying Edge fails, you may see an error similar to:
    Did not receive successful HTTP response: status code = 403, status message = [Forbidden].
     
  • In the NSX Manager logs, you see entries similar to:

    2017-03-27 09:25:30.702 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 URLAccessFilter:49 - Got URL http://10.1.1.2/remote/api/EdgeFacade
    2017-03-27 09:25:30.702 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 URLAccessFilter:54 - Path prefix /api/3.0/edges
    2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 AbstractPreAuthenticatedProcessingFilter:87 - Checking secure context token: null
    2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 PreAuthenticationFilter:70 - No client certificate found in request.
    2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 PreAuthenticationFilter:70 - No client certificate found in request.
    2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 AbstractPreAuthenticatedProcessingFilter:108 - No pre-authenticated principal found in request
    2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 CacheAuthenticationProvider:59 - Exception was thrown while authenticating using : com.vmware.vshield.vsm.security.service.impl.UsernameVcSessionCacheAuthenticator
    org.springframework.security.authentication.BadCredentialsException: Bad Username or Credentials presented.


    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware vSphere ESXi 6.0

Cause

When a request comes to NSX manager, it relies on VCSESSION value in request header to fetch out user name and vc session id. Username pattern is always username@domain. When you use custom localos domain i.e. other than @localos, only username is fetched in VCSESSION. When there is no domain in request, VCAuthenticationProvider assumes domain as @localos and tries to fetch role for username@localos which is not present in the role mappings, causing authorization and communication errors.

Resolution

This issue is resolved in VMware NSX for vSphere 6.4.0, available at Broadcom Downloads.

To work around this issue if you do not want to upgrade, add the role for nsxmanager@localos as Enterprise Admin as well along with role for nsxmanager@domain if it exists.