LDAP / VIDM authentication failing or some parts of the UI showing Unauthorized with "Error: User is not authorized to perform this operation on the application. Please contact the system administrator to get access. (Error code: 401)"
search cancel

LDAP / VIDM authentication failing or some parts of the UI showing Unauthorized with "Error: User is not authorized to perform this operation on the application. Please contact the system administrator to get access. (Error code: 401)"

book

Article ID: 381104

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • LDAP / VIDM authentication failing or some parts of the UI showing Unauthorized. 
  • User may be configured with role "Enterprise Admin" 
  • You may see the error "Something went wrong" on sections of the NSX-T Web Interface. 
  • You may see "Error: User is not authorized to perform this operation on the application. Please contact the system administrator to get access. (Error code: 401)"
  • Attempts to access the User management page present "policy.localusers.empty"
  • You have recently installed or upgraded to NSX version 4.2.0
  • You may see similar log entries in the NSX Manager logs

 

/var/log/syslog
 
2024-10-28T10:31:15.980Z <system> NSX 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP21025" level="ERROR" reqId="########-####-####-####-########622f" subcomp="manager" username="<username>"] Couldn't get count of transport nodes, connected to MP ########-####-####-####-########4b98
2024-10-28T10:31:15.982Z <system> NSX 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP100" level="ERROR" subcomp="manager"] ServletOutputStream failed to write: java.io.IOException: Broken pipe
 
 
/var/log/proton/nsxapi.log
 
2024-10-28T10:31:15.964Z ERROR http-nio-127.0.0.1-7440-exec-14 ClusterNodeAggregatorServiceImpl 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP21025" level="ERROR" reqId="########-####-####-####-########622f" subcomp="manager" username="<username>"] Couldn't get count of transport nodes, connected to MP ########-####-####-####-########b05ef
java.lang.NullPointerException: null
        at com.vmware.nsx.management.appliance.manager.service.impl.ClusterNodeAggregatorServiceImpl.getTransportNodesCount(ClusterNodeAggregatorServiceImpl.java:258) ~[libnsx-manager-appliance.jar:?]
2024-10-28T10:31:15.970Z ERROR http-nio-127.0.0.1-7440-exec-13 NsxBaseRestController 75312 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP100" level="ERROR" subcomp="manager"] ServletOutputStream failed to write: java.io.IOException: Broken pipe
org.springframework.web.context.request.async.AsyncRequestNotUsableException: ServletOutputStream failed to write: java.io.IOException: Broken pipe
        at org.springframework.web.context.request.async.StandardServletAsyncWebRequest$LifecycleHttpServletResponse.handleIOException(StandardServletAsyncWebRequest.java:320) ~[spring-web-5.3.34.jar:5.3.34]
 
/var/log/nvpapi/api_server.log
 
2024-10-27T08:04:22.946Z napi.rest_routine_rbac_utils INFO Insufficient privileges invoking GET /api/v1/cluster/backups/ui_frames by <username> (############################LnNh) in groups '['<group-name>']' (############################LnNh) with perms: ''

Environment

VMware NSX 4.2.0.x

Cause

NAPI is configured to store user details in the NSX-T database in lower case. LDAP/VIDM based User / Groups with uppercase characters do not get converted to lowercase which causes a fail to match. 

Resolution

NSX must to upgraded to 4.2.1 to resolve this issue.

 

 

Additional Information

To workaround the issue, it is suggested to create a new group / modify the user account, so it presents in lower case. 

Example usergroup that has issues:


Create/modify an user group all with lower case that allows the user authentication successful.