• Active Directory users are unable to login to the NSX-T UI directly with users that reside within NSX-T groups with sufficient role bindings affiliated to them. 
• NSX-T uses LDAP directly integrated for RBAC role assignment.
• Logs that encompass this issue:

var/log/nvpapi/api_server.log: Insufficient privileges invoking GET /api/v1/cluster-manager/config by [email protected] in groups '['[email protected]', 'Domain [email protected]', '[email protected]']' ........ with perms: ''

var/log/nvpapi/api_server.log: napi.rest_routine_rbac_utils INFO Insufficient privileges invoking GET /api/v1/node/version by [email protected] in groups '['[email protected]', 'Domain [email protected]', '[email protected]']' ........ with perms: ''


VMware NSX-T Data Center
VMware NSX

This is an issue wherein a bug with NAPI is treating the role binding's domain name in a case-sensitive manner.

This is a known issue affecting VMware NSX. This is fixed on VMware NSX 4.2.1 and above

There are two options to work around this issue:

1. Edit the LDAP configuration so that the domain name is DOMAIN.COM (all upper-case),
   
   -or-
   
   
2. Delete the existing groups in NSX and re-add them. Once that's done, the role bindings will refer to "domain.com" in lower case and the users in those groups will be able to log into NSX.