Error "Access Denied" received by AD Users login message after upgrade
search cancel

Error "Access Denied" received by AD Users login message after upgrade

book

Article ID: 376044

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • After upgrading to NSX 4.2.0, Active Directory users are unable to login and received the following error message:
    Access denied
    You are not authorized to perform this operation. Please check your permissions.
  • The AD user is a member of an AD nested group. 
  • The NSX Manager log in /var/log/nsx-audit.log shows Granted Authorities not displaying any AD groups to which the AD user belongs: 
    <###>1 YYYY-MM-DDTHH:MM:SS.SSSZ <NSX Manager FQDN> NSX 3322 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="LdapUserDetailsImpl [Dn=CN=#####.,CN=Users,DC=#####,DC=#####; Username=<username>@<AD Domain>; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]]@127.0.0.1", ModuleName="ACCESS_CONTROL", Operation="LOGOUT", Operation status="success"
  • The Access Denied page URL displays error message code: 
    ErrorMessageCode=noroles
     

Environment

VMware NSX 4.2.0

Cause

  • The upgrade disables the resolve nested groups function.
  • New 4.2 deployments are not impacted
  • Only previously configured LDAP integration are affected.

Resolution

This issue is resolved in VMware NSX 4.2.1, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround:

Confirm nested group resolution is set to false

  1. Obtain the id and resolve_nested_group values:
    curl -k -u 'admin:<PASSWORD>' https://<NSX_MGR_IP>/policy/api/v1/aaa/ldap-identity-sources/
    Note: Replace <PASSWORD> and <NSX_MGR_IP> with the appropriate values.
    Note: Take note of the id associated with the impacted AD instance
  2. Confirm the resolve_nested_group field is set to false
  • Note: If the resolve_nested_group field is set to true, this issue must be resolved using the UI.
  • Note: If the resolve_nested_group field is set to false,  the issue can be resolved by the using REST API.

Delete and re-add the LDAP integration using the UI

  1. Go to System -> User Management -> Authentication Providers
  2. Add the same identity source again
  3. Ensure the user mapping still exists for the same identify source

Note: Use the same name for the LDAP integration to avoid having to re-add the AD groups.

Enable nested group resolution using the REST API

  1. Obtain the AD configuration for the impacted AD server:
    GET https://<NSX_MGR_IP>/policy/api/v1/aaa/ldap-identity-sources/<id>/ 
    Note: Replace <id> using the output from the previous step.

  2. Copy the output to a file and edit the output to set the resolve_nested_groups value to true
    Note: This modified output will be used in the body of the PUT request in step 7

  3. Update the LDAP configuration
    PUT https://<NSX_MGR_IP>/policy/api/v1/aaa/ldap-identity-sources/<id>/
    Note: Use the the modified LDAP configuration s the body for the REST call.

Powered by Wolken Software