• NSX-T was unable to communicate with the VMware Identity Manager (vIDM) 3.3.7 environment, leading to failed authentication attempts for users. Attempts to log in to NSX-T through vIDM displayed the below error:

  • Workspace ONE Access is not accessible. CLICK HERE to log in to NSX Manager using your local user account.

• Despite confirming that vIDM services were running and healthy in both vIDM SSh and the vIDM UI, NSX-T’s VMware Identity Manager Connection status showed as "Down."

• Upon logging into NSX-T with admin credentials and navigating to System > Settings > User Management > VMware Identity Manager > Edit, it was observed that the attempts to save the settings resulted in the following error:

  • Error: Invalid VMware Identity Manager thumbprint specified. (Error code: 36520)

• vIDM health in LCM may show as Critical in some scenarios.

• VMware Identity Manager 3.3.x

• The primary cause of the issue is an outdated vIDM thumbprint configured in NSX-T. 

• The vIDM thumbprint is a cryptographic hash of the server's SSL certificate. When the certificate changes (e.g., due to renewal or re-issuance), the thumbprint also changes. An outdated thumbprint prevents NSX-T from establishing a secure connection with vIDM, leading to authentication failures.

• Verify Health of vIDM Services:

  • Log in to vIDM ui and verify and confirm that the health status of all the components is in Green by clicking on the top right Health icon.

• SSH into vIDM nodes to check that opensearch and horizon-workspace services are active using:

  • service opensearch status

  • service horizon-workspace status

• Run Inventory Sync in LCM:

  • Run Inventory Sync for vIDM/Global Environment from LCM to refresh the health status in LCM. Typically Inventory Sync runs successfully as viDM would be in a Healthy state and if there are any errors during sync then please troubleshoot sync issues using the LCM error code.

  • Confirm that vIDM health status changes to Healthy (Green) in LCM after Inventory Sync.

• Attempt Connection Verification in NSX-T:

  • Log in to NSX-T using admin credentials.

  • Navigate to System > Settings > User Management > VMware Identity Manager, where the VMware Identity Manager Connection would be marked as "Down" (as shown in Issue/Introduction section in this Article)

  • Click Edit and attempt to save the configuration and upon saving the following error will be encountered: (as shown in Issue/Introduction section in this Article)

    • Error: Invalid VMware Identity Manager thumbprint specified. (Error code: 36520)

• Retrieve the Latest vIDM SSL Thumbprint: (This is Step 4)

  • SSH into the vIDM host and run the following command to obtain the updated SSL thumbprint:

    • openssl s_client -connect <FQDN of vIDM host>:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin

• Update the SSL Thumbprint in NSX-T:

  • Login to NSX-T using local admin credentials.

  • Go to System > Settings > User Management > VMware Identity Manager > Edit.

  • Edit the SSL Thumbprint field and paste the latest SSL thumbprint obtained in Step 4.

  • Save the changes to update the thumbprint, confirming there are no errors.

Note: A change in certificate of the vIDM would not alter the OAuth Client ID ( used while registering vIDM as an identity source in NSX-T), as this would pertains to the ID created ( Application level specific and not Appliance specific) when the NSX-T is registered as a Web App integration in vIDM and thus would not need to changed in case of an event of certificate change. 

• Verify Connectivity:

  • Confirm that NSX-T shows a successful connection to vIDM and that authentication via Workspace ONE Access is restored.

• This issue can occur even if the vIDM health appears green in LCM or vIDM itself.

• For additional reference, see:

  • VMware Documentation: VMware Documentation on SSL Thumbprint Retrieval

  • Blog Post: vIDM SSL Thumbprint Troubleshooting

  • Blog Post: Resolving NSX-T and vIDM Connection Down Issues

• By following these steps and understanding the cause, you can resolve the invalid thumbprint error and re-establish successful authentication between NSX-T and vIDM.

• Note: Change in the certificate on the LB / nodes, is an instance / appliance level associated change and not a change associated to the identity service as a functionality and thus unless a change in the NSX registration to the vIDM, the Secret used for the integration on NSX for vIDM, would remain unaffected.