NSX-T was unable to communicate with the VMware Identity Manager (vIDM) 3.3.7 environment, leading to failed authentication attempts for users. Attempts to log in to NSX-T through vIDM displayed the below error:
Upon logging into NSX-T with admin credentials and navigating to System > Settings > User Management > VMware Identity Manager > Edit, it was observed that the attempts to save the settings resulted in the following error:
VMware Identity Manager 3.3.x
The primary cause of the issue is an outdated vIDM thumbprint configured in NSX-T.
The vIDM thumbprint is a cryptographic hash of the server's SSL certificate. When the certificate changes (e.g., due to renewal or re-issuance), the thumbprint also changes. An outdated thumbprint prevents NSX-T from establishing a secure connection with vIDM, leading to authentication failures.
Verify Health of vIDM Services:
Log in to vIDM ui and verify and confirm that the health status of all the components is in Green by clicking on the top right Health icon.
SSH into vIDM nodes to check that opensearch and horizon-workspace services are active using:
service opensearch status
service horizon-workspace status
Run Inventory Sync in LCM:
Run Inventory Sync for vIDM/Global Environment from LCM to refresh the health status in LCM. Typically Inventory Sync runs successfully as viDM would be in a Healthy state and if there are any errors during sync then please troubleshoot sync issues using the LCM error code.
Confirm that vIDM health status changes to Healthy (Green) in LCM after Inventory Sync.
Attempt Connection Verification in NSX-T:
Log in to NSX-T using admin credentials.
Navigate to System > Settings > User Management > VMware Identity Manager, where the VMware Identity Manager Connection would be marked as "Down" (as shown in Issue/Introduction section in this Article)
Click Edit and attempt to save the configuration and upon saving the following error will be encountered: (as shown in Issue/Introduction section in this Article)
Retrieve the Latest vIDM SSL Thumbprint: (This is Step 4)
SSH into the vIDM host and run the following command to obtain the updated SSL thumbprint:
Update the SSL Thumbprint in NSX-T:
Login to NSX-T using local admin credentials.
Go to System > Settings > User Management > VMware Identity Manager > Edit.
Edit the SSL Thumbprint field and paste the latest SSL thumbprint obtained in Step 4.
Save the changes to update the thumbprint, confirming there are no errors.
Note: A change in certificate of the vIDM would not alter the OAuth Client ID ( used while registering vIDM as an identity source in NSX-T), as this would pertains to the ID created ( Application level specific and not Appliance specific) when the NSX-T is registered as a Web App integration in vIDM and thus would not need to changed in case of an event of certificate change.
Verify Connectivity:
Confirm that NSX-T shows a successful connection to vIDM and that authentication via Workspace ONE Access is restored.
This issue can occur even if the vIDM health appears green in LCM or vIDM itself.
For additional reference, see:
VMware Documentation: VMware Documentation on SSL Thumbprint Retrieval
Blog Post: vIDM SSL Thumbprint Troubleshooting
By following these steps and understanding the cause, you can resolve the invalid thumbprint error and re-establish successful authentication between NSX-T and vIDM.
Note: Change in the certificate on the LB / nodes, is an instance / appliance level associated change and not a change associated to the identity service as a functionality and thus unless a change in the NSX registration to the vIDM, the Secret used for the integration on NSX for vIDM, would remain unaffected.