Active Directory users login to NSX Manager fails after changes to LDAP Server certificates.
search cancel

Active Directory users login to NSX Manager fails after changes to LDAP Server certificates.

book

Article ID: 369799

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When the certificate for an Active Directory server is modified, the configuration must be updated in NSX Manager.

Until it is updated, attempting to log into NSX Manager with an AD user fails with below.

Your login attempt was not successful.
Unable to contact the LDAP Server.

OR

Your login attempt was not successful. 
The username/password combination is incorrect or the account specified has been locked.

 

In the NSX UI, testing the Connection Status for the LDAP Server(s) under System > User Management > LDAP will fail.




OR 





Environment

VMware NSX-T Data Center
VMware NSX

Cause

NSX manager will fail its connection to an LDAP server due to a mismatch between the certificate information stored in NSX Manager and the active certificate on the LDAP server. There are other issues that can cause the connection to fail such as incorrect credentials, network connection problems, and so forth, but this article is specific to having an LDAP Server's certificate information in NSX that is different from the current certificate used by the LDAP Server.

Resolution

  1. Ensure that the NSX Manager can connect to the LDAP Server on port 636. By command line on NSX Manager, you can test with netcat by running "nc -vz <LDAP server FQDN or IP> 636". If the connection fails, then you will first need to troubleshoot the networking and get it working.
  2. Obtain the LDAP Server certificate. Run command: "openssl s_client -connect <LDAP server FQDN or IP>:636 -showcerts"
  3. Check the certificate information from the output and compare it to the certificate information saved in NSX Manager. In the NSX Manager UI log in as admin, navigate to System > User Management > Authentication Providers > LDAP and expand the details for the LDAP Server.
  4. After verifying that the certificate information does not match, edit the LDAP Server configuration in NSX Manager. Paste in the new certificate information obtained in step 2, fill in the credentials for the LDAP Server, click Add at the bottom, then Save.
  5. Verify that the connection is now successful by refreshing the test of the Connection Status.
  6. Ensure that the AD user(s) from the LDAP Server is now able to log into NSX Manager successfully. 

Additional Information

Reference https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/3-2/administration-guide.html

If the above workaround doesn't work this error also matches the Signing algorithm compatibility issue KB below:

VMware NSX LDAPS server connection not working POST upgrade to VMware NSX 4.1.X

Powered by Wolken Software