"The credentials were incorrect or the account specified has been locked. (error_code 403)" error on NSX Terraform Provider APIs
search cancel

"The credentials were incorrect or the account specified has been locked. (error_code 403)" error on NSX Terraform Provider APIs

book

Article ID: 370259

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Issue seen with NSX Terraform Provider 

NSX-T User account used with Terraform gets denied randomly and may get locked out.

 

In the NSX Manager logs /var/log/proxy/reverse-proxy.log
            
2024-02-27T15:28:28.506Z DEBUG Processing request 0df6c026-####-####-####-########df9 CustomBindAuthenticator 129964 - [nsx@6876 comp="nsx-manager" level="DEBUG" subcomp="http"] Failed to bind as cn=user, dc=example,dc=com(username: [email protected]): org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]


2024-02-27T15:28:28.533Z DEBUG Processing request 0df6c026-####-####-####-########df9 DelegatingLdapAuthProvider 129964 - [nsx@6876 comp="nsx-manager" level="DEBUG" subcomp="http"] User authentication failed over LDAP
org.springframework.security.authentication.BadCredentialsException: Bad credentials
        at com.vmware.nsx.management.rp.security.ldap.CustomBindAuthenticator.doAuthenticationInternal(CustomBindAuthenticator.java:81) ~[libreverse-proxy-compile.jar:?]
        at com.vmware.nsx.management.rp.security.ldap.CustomOpenLdapAuthenticationProvider.doAuthenticationInternal(CustomOpenLdapAuthenticationProvider.java:116) ~[libreverse-proxy-compile.jar:?]
2024-02-27T15:29:18.580Z  WARN Processing request 600190e6-####-####-####-########6d8 CustomOidcAuthorizationCodeAuthenticationProvider 129964 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed


2024-02-27T15:29:18.580Z  WARN Processing request 600190e6-####-####-####-########6d8 AuthenticationBlacklistService 129964 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Account [email protected]@###.###.###.### has been temporarily locked for 900 seconds after 5 consecutive failed login attempts.
 
 

In the following NSX Manager logs /var/log/proxy/envoy_access_log.txt  a 403 response to /api/session/create can be seen

[2024-02-27T15:06:56.878Z] ###.###.###.### ###.###.###.### "POST" "/api/session/create" "HTTP/1.1" 403 UAEX 98 119 2 - "##.###.###.###, ##.###.###.###" "terraform-provider-nsxt" "f21d05ea-####-####-####-########e13" "##.###.###.###" "-"

Environment

VMware NSX

Terraform Provider for NSX

Resolution

Change the password for Terraform user account so that it does not contain an "&" sign.

Additional Information

This issue will be resolved in a future release of NSX-T Terraform Provider. 

Powered by Wolken Software