Symptoms:

• Connection from NSX manager to SSO fails when authenticated using the LocalOS user, you may see an error similar to:
  Could not establish communication with NSX Manager. Please contact administrator.
   
• Deploying Edge fails, you may see an error similar to:
  Did not receive successful HTTP response: status code = 403, status message = [Forbidden].
   
• In the NSX Manager logs, you see entries similar to:
  
  2017-03-27 09:25:30.702 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 URLAccessFilter:49 - Got URL http://10.1.1.2/remote/api/EdgeFacade
  2017-03-27 09:25:30.702 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 URLAccessFilter:54 - Path prefix /api/3.0/edges
  2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 AbstractPreAuthenticatedProcessingFilter:87 - Checking secure context token: null
  2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 PreAuthenticationFilter:70 - No client certificate found in request.
  2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 PreAuthenticationFilter:70 - No client certificate found in request.
  2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 AbstractPreAuthenticatedProcessingFilter:108 - No pre-authenticated principal found in request
  2017-03-27 09:25:30.703 GMT DEBUG http-nio-127.0.0.1-7441-exec-2 CacheAuthenticationProvider:59 - Exception was thrown while authenticating using : com.vmware.vshield.vsm.security.service.impl.UsernameVcSessionCacheAuthenticator
  org.springframework.security.authentication.BadCredentialsException: Bad Username or Credentials presented.
  
  Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

This issue is resolved in VMware NSX for vSphere 6.4.0, available at Broadcom Downloads.

To work around this issue if you do not want to upgrade, add the role for nsxmanager@localos as Enterprise Admin as well along with role for nsxmanager@domain if it exists.