LDAP / VIDM authentication failing or some parts of the UI showing Unauthorized with "Error: User is not authorized to perform this operation on the application. Please contact the system administrator to get access. (Error code: 401)"
Article ID: 381104
Updated On:
Products
VMware NSX
Issue/Introduction
- LDAP / VIDM authentication failing or some parts of the UI showing Unauthorized.
- User may be configured with role "Enterprise Admin"
- You may see the error "Something went wrong" on sections of the NSX-T Web Interface.
- You may see "Error: User is not authorized to perform this operation on the application. Please contact the system administrator to get access. (Error code: 401)"
- Attempts to access the User management page present "policy.localusers.empty"
- You have recently installed or upgraded to NSX version 4.2.0
- You may see similar log entries in the NSX Manager logs
/var/log/syslog2024-10-28T10:31:15.980Z <system> NSX 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP21025" level="ERROR" reqId="########-####-####-####-########622f" subcomp="manager" username="<username>"] Couldn't get count of transport nodes, connected to MP ########-####-####-####-########4b982024-10-28T10:31:15.982Z <system> NSX 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP100" level="ERROR" subcomp="manager"] ServletOutputStream failed to write: java.io.IOException: Broken pipe
/var/log/proton/nsxapi.log2024-10-28T10:31:15.964Z ERROR http-nio-127.0.0.1-7440-exec-14 ClusterNodeAggregatorServiceImpl 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP21025" level="ERROR" reqId="########-####-####-####-########622f" subcomp="manager" username="<username>"] Couldn't get count of transport nodes, connected to MP ########-####-####-####-########b05efjava.lang.NullPointerException: nullat com.vmware.nsx.management.appliance.manager.service.impl.ClusterNodeAggregatorServiceImpl.getTransportNodesCount(ClusterNodeAggregatorServiceImpl.java:258) ~[libnsx-manager-appliance.jar:?]2024-10-28T10:31:15.970Z ERROR http-nio-127.0.0.1-7440-exec-13 NsxBaseRestController 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP100" level="ERROR" subcomp="manager"] ServletOutputStream failed to write: java.io.IOException: Broken pipeorg.springframework.web.context.request.async.AsyncRequestNotUsableException: ServletOutputStream failed to write: java.io.IOException: Broken pipeat org.springframework.web.context.request.async.StandardServletAsyncWebRequest$LifecycleHttpServletResponse.handleIOException(StandardServletAsyncWebRequest.java:320) ~[spring-web-5.3.34.jar:5.3.34]
/var/log/nvpapi/api_server.log2024-10-27T08:04:22.946Z napi.rest_routine_rbac_utils INFO Insufficient privileges invoking GET /api/v1/cluster/backups/ui_frames by <username> (############################LnNh) in groups '['<group-name>']' (############################LnNh) with perms: ''
Environment
VMware NSX 4.2.0.x
Cause
NAPI is configured to store user details in the NSX-T database in lower case. LDAP/VIDM based User / Groups with uppercase characters do not get converted to lowercase which causes a fail to match.
Resolution
This issue is resolved in VMware NSX 4.2.1, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
Alternative Workaround:
It is suggested to create a new group / modify the user account, so it presents in lower case.
Example usergroup that has issues:
Create/modify an user group all with lower case that allows the user authentication successful.
Feedback
Yes
No
Powered by
