Active Directory Synchronization Status Shows "Down" Due to LDAP Thumbprint Mismatch
search cancel

Active Directory Synchronization Status Shows "Down" Due to LDAP Thumbprint Mismatch

book

Article ID: 389526

calendar_today

Updated On: 02-28-2025

Products

VMware vDefend Firewall

Issue/Introduction

Users may observe the following issues in NSX Identity Firewall Active Directory (AD) Integration:

  • The Synchronization Status for Active Directory under System > Identity Firewall AD shows "Down".
  • Clicking on the "Down" status displays the Last Sync Error:
    "Cannot connect to any LDAP server in domain."
  • Clicking on the "LDAP Server" shows Connectivity Status: "Down".
  • Further investigation into the error details shows:
    "Error: Thumbprint Provided 'xxxxxxxx' does not match with the thumbprint from the LDAP server '#######', '{Correct thumbprint=yyyyyyyyyyyyyyy}'."
    (Error code: 524007)

Environment

VMware vDefend Firewall (NSX) with Identity Firewall (IDFW) Integration

Cause

This issue occurs due to an LDAP certificate thumbprint mismatch between NSX and the configured LDAP server. Possible reasons include:

  1. LDAP Server Certificate Renewal:

    • If the LDAP server’s SSL certificate was recently renewed, its thumbprint changes. However, NSX still references the old thumbprint, which is causing authentication failures.
  2. Incorrect Thumbprint Configuration:

    • If the LDAP server was manually added with an incorrect or outdated thumbprint, NSX cannot establish a secure connection.

Resolution

To resolve the issue, follow these steps to remove and re-add the LDAP servers in NSX to update the stored thumbprint:

  1. Navigate to NSX Manager UI

    • Go to System > Identity Firewall > Active Directory.
  2. Remove Existing LDAP Server Entries

    • Identify the affected LDAP servers.
    • Click on each LDAP server and remove it from the configuration.
  3. Re-Add the LDAP Server

    • Click on Add LDAP Server and reconfigure the connection.
    • During this process, NSX will fetch and store the updated thumbprint from the LDAP server.
  4. Verify Synchronization Status

    • After re-adding, verify that the Synchronization Status now shows "Up" and that no thumbprint mismatch error is present.