LDAP Connection status displaying failed in the NSX-T UI
search cancel

LDAP Connection status displaying failed in the NSX-T UI

book

Article ID: 391876

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • You are seeing connection status as 'Failed' when viewing the status of LDAP server connectivity from NSX UI >> User Management >> LDAP >> Connection status



  • When hovered over the failed status you see 'The username and/or password are incorrect' error



  • Also we see the Synchronization status will be in 'Failure' state

       

  • NSX manager syslog shows below error:

    syslog.6:2025-03-18T14:40:45.695Z <nsx-manager-fqdn> NSX 70827 SYSTEM [nsx@##76 comp="nsx-manager" level="WARNING" reqId="#####138-2##4-4##c-###5-9####b1##16" subcomp="manager" username="<[email protected]>"] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 775, v3839#000]

    syslog.6:2025-03-18T14:59:51.061Z <nsx-manager-fqdn> NSX 70827 SYSTEM [nsx@##76 comp="nsx-manager" level="WARNING" reqId="#####949-15##-###d-b###-#####a53##5" subcomp="manager" username="<[email protected]>"] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 52e, v3839#000]

Environment

VMware NSX-T Datacenter
VMware NSX

Cause

The error in syslog mentioned above is displayed when username is valid but password/credential is invalid or if the svc account used to configure LDAP server on NSX is locked out

Resolution

The explanation for the error codes in syslog are as below:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 
HEX: 0x52e - invalid credentials 
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.) 
NOTE: Returns when username is valid but password/credential is invalid.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893 
HEX: 0x775 - account locked out 
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.) 
LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT 
NOTE: Returns even if invalid password is presented 

Follow the below steps to troubleshoot the issue:

  • Check if you are entering the right credentials of the account you are using to add LDAP server to NSX.
  • Check if the svc account you are using to add the LDAP server to NSX, has been locked out on LDAP side.
  • Check the LDAP events to see if there are any attempts made from that problem svc account on the LDAP server from the NSX manager IP and please look for event ID's 4624, 4625 and any other event ID's which may provide information of the login attempt.
  • Create a new user on LDAP and try adding the LDAP server to NSX using the new user account.
  • Try adding the LDAP server to NSX using IP instead of FQDN.
  • SSH to NSX manager and run the below command to check connectivity to the LDAP server.

    nc -zvv <LDAP-server-IP> <port-number-used-for-LDAP>

    Example:
    nc -zvv <LDAP-server-IP> 389 (for LDAP)
    nc -zvv <LDAP-server-IP> 636 (for LDAPS)
    nc -zvv <LDAP-server-IP> 3268 (for LDAP GC)
    nc -zvv <LDAP-server-IP> 3269 (for LDAPS GC)

If the issue not resolved after following above troubleshooting steps, please open a case with Broadcom Support.

Powered by Wolken Software