AD Users received "Access Denied" login message after upgrade to NSX 4.2.0
search cancel

AD Users received "Access Denied" login message after upgrade to NSX 4.2.0

book

Article ID: 376044

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • After upgrading to NSX 4.2.0, AD Users are unable to login and received the following error message.

    Access denied

    You are not authorized to perform this operation. Please check your permissions.

  • From the NSX Manager log located in the directory /var/log/nsx-audit.log, it is observed that the Granted Authorities display empty AD groups to which the AD user belongs. The AD user is a member of an AD nested group. Please refer to the example log excerpt below.

    <###>1 YYYY-MM-DDTHH:MM:SS.SSSZ <NSX Manager FQDN> NSX 3322 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="LdapUserDetailsImpl [Dn=CN=#####.,CN=Users,DC=#####,DC=#####; Username=<username>@<AD Domain>; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]]@127.0.0.1", ModuleName="ACCESS_CONTROL", Operation="LOGOUT", Operation status="success"
  • The URL indicates "ErrorMessageCode=noroles". 

Environment

VMware NSX 4.2.0

Cause

This issue occurred due to a defect in the upgrade logic, which disables the resolve nested groups function. New 4.2 deployments are not impacted and only previously configured LDAP configurations are affected.

Resolution

This issue is resolved in VMware NSX 4.2.1 available at Broadcom Downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.


Workaround:

Option 1:

Delete the LDAP config in the System -> User Management -> Authentication Providers UI and add it again. There is no need to re-add the groups, as long as the same name for the LDAP config is used.

Option 2:

Follow the steps below to use API to set the "resolve_nested_groups" flag to true

  1. Run the following GET API command and retrieve the output for the relevant AD "id" and "resolve_nested_group" fields
  2. GET https://<NSX_MGR_IP>/policy/api/v1/aaa/ldap-identity-sources/
  3. Observed the "resolve_nested_group" field is set to false in the output

  4. Run GET https://<NSX_MGR_IP>/policy/api/v1/aaa/ldap-identity-sources/<id>/ and replace <id> with the info identified in previous step

  5. Copy the output and modified "resolve_nested_groups" to true. This modified output will be used in the body of the PUT request in step 7

  6. Run the following PUT request to update the "resolve_nested_groups" flag to true against the NSX Manager configured AD.
  7. PUT https://<NSX_MGR_IP>/policy/api/v1/aaa/ldap-identity-sources/<id>/

 

 

 

Powered by Wolken Software