• NSX LDAP authentication fails with HTTP 503 error
• May be unable to return to login page and receive another HTTP 503 error
• Output of the following command has the value of the field "crl_checking_enabled" set to 'true'
  • curl -u admin:${PASSWORD} -i -k -X GET https://$IP/api/v1/global-configs/SecurityGlobalConfig
    

    {
      "crl_checking_enabled" : true,         <----------------
      "ca_signed_only" : false,
      "eku_checking_enabled" : true,
      "resource_type" : "SecurityGlobalConfig",
      "id" : "########-####-####-####-############",
      "_system_owned" : false,
      "_protection" : "NOT_PROTECTED",
      "_create_time" : 0,
      "_create_user" : "",
      "_last_modified_time" : 1234567890,
      "_last_modified_user" : "system",
      "_revision" : 1
    }

  • May see logs in var/log/proxy/reverse-proxy.log similar to:
    

    2025-03-07T12:34:56.198Z  WARN Processing request ########-####-####-####-############ CrlWebDirectFetcher 1750000 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Couldn't get LDAP context from URI ldap:///CN=nsx-######-CA,CN=nsx-#######,CN=#####,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=####,DC=##########,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    2025-03-07T12:34:56.257Z  WARN Processing request ########-####-####-####-############ DelegatingLdapAuthProvider 1750000 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Cannot connect to LDAP server: null

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX

Due to the absence of the host name in the ldap URI. It starts with "ldap:///..." so NSX Manager is not able to fetch the CRL as there's no hostname.

For this reason, VMware by Broadcom doesn't support LDAP CRLs.

NOTE: By default the paramater crl_checking_enabled=true

For more information refer to:

• Set Checks for Certificate Imports
• Configuring NSX Manager to Retrieve a Certificate Revocation List