Informational
The issue and fix is at vCenter side and workaround can be applied to either vCenter or NSX.
Symptoms:
Issue 1:
Failed to prepare NSX-T hosts in a vLCM cluster due to an error such as:
“Cannot determine whether NSX-T Data Center is enabled on this cluster. Go to NSX-T Data Center system and enable bidirectional trust.“
Even though the compute manager is up and trust has been enabled.
Issue 2:
Cannot access NSX-T UI from vCenter after deployment of an embedded OVA from vCenter
Domains are case insensitive. This causes problems when use the domain name in case sensitive strings such as OIDC issuer url.
The oidc issuer url is constructed using the getOIDCEntityID command which takes in the tenant (domain name) parameter.
When constructing the JWT, it always get the default tenant which is just a copy of the VC domain name such as AG.local. (not lowercase)
There are two workaround options available to the customers:
Workaround to be implemented in vCenter :
Note: Please take an offline snapshot of all VCs before proceeding.
Navigate to the dn:
cn=Tenants,cn=IdentityManager,cn=Services,dc=AG,dc=local
Workaround to be implemented in NSX via API:
Change the issuer of oidc in NSX manually using API.
Note : If the compute manager's thumbprint updated, it will override the oidc changes and again same workaround has to be applied.
GET https://<nsxmgr>/api/v1/trust-management/oidc-uris
{
"results": [
{
"oidc_uri": "https://<vcsa>/openidconnect/vsphere.local/.well-known/openid-configuration",
"thumbprint": "<thumbprint-uuid>",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://<vcsa>/openidconnect/logout/vsphere.local",
"issuer": "https://<vcsa>/openidconnect/vsphere.local",
"jwks_uri": "https://<vcsa>/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://<vcsa>/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"resource_type": "OidcEndPoint",
"id": "<oidc-id>",
"display_name": "<oidc-display-name>",
"_create_time": 1675162497329,
"_create_user": "<user-id>",
"_last_modified_time": 1675162497329,
"_last_modified_user": "<user-id>",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
]
}
[2023-11-13T13:04:45.849Z] [INFO ] http-nio-5090-exec-591 70052176 101815 ###### com.vmware.identity.websso.client.Message Incoming or outgoing SAML message.
Message Type:AUTHN_REQUEST
ID:<message_id>
SessionIndex:null
Message source:https://<vcsa>/ui/saml/websso/metadata
Message destination:https://<vcsa>/websso/SAML2/SSO/vsphere.LOCAL ← URI will be used in the POST API command below. Only the FQDN and the vsphere.LOCAL components are needed.
Message validation result (for incoming messages):null
DELETE https://<nsxmgr>/api/v1/trust-management/oidc-uris/<oidc-display-name>
POST https://<nsxmgr>/api/v1/trust-management/oidc-uris/
Payload for this POST:{
"oidc_uri": "https://<vcsa>/openidconnect/vsphere.LOCAL/.well-known/openid-configuration",
"thumbprint": "<>",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://<vcsa>/openidconnect/logout/vsphere.local",
"issuer": "https://<vcsa>/openidconnect/vsphere.local",
"jwks_uri": "https://<vcsa>/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://<vcsa>/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"resource_type": "OidcEndPoint",
}