Users may observe the following issues in NSX Identity Firewall Active Directory (AD) Integration:

• The Synchronization Status for Active Directory under System > Identity Firewall AD shows "Down".
• Clicking on the "Down" status displays the Last Sync Error:
  "Cannot connect to any LDAP server in domain."
• Clicking on the "LDAP Server" shows Connectivity Status: "Down".
• Further investigation into the error details shows:
  "Error: Thumbprint Provided 'xxxxxxxx' does not match with the thumbprint from the LDAP server '#######', '{Correct thumbprint=yyyyyyyyyyyyyyy}'."
  (Error code: 524007)

VMware vDefend Firewall (NSX) with Identity Firewall (IDFW) Integration

This issue occurs due to an LDAP certificate thumbprint mismatch between NSX and the configured LDAP server. Possible reasons include:

1. LDAP Server Certificate Renewal:

   • If the LDAP server’s SSL certificate was recently renewed, its thumbprint changes. However, NSX still references the old thumbprint, which is causing authentication failures.

2. Incorrect Thumbprint Configuration:

   • If the LDAP server was manually added with an incorrect or outdated thumbprint, NSX cannot establish a secure connection.

To resolve the issue, follow these steps to remove and re-add the LDAP servers in NSX to update the stored thumbprint:

1. Navigate to NSX Manager UI

   • Go to System > Identity Firewall > Active Directory.

2. Remove Existing LDAP Server Entries

   • Identify the affected LDAP servers.
   • Click on each LDAP server and remove it from the configuration.

3. Re-Add the LDAP Server

   • Click on Add LDAP Server and reconfigure the connection.
   • During this process, NSX will fetch and store the updated thumbprint from the LDAP server.

4. Verify Synchronization Status

   • After re-adding, verify that the Synchronization Status now shows "Up" and that no thumbprint mismatch error is present.