When attempting to validate the NSX Cloud Account using a domain account, the following error is intermittently encountered:
[403] The credentials were incorrect or the account specified has been locked.

The error occurs due to Active Directory account lockouts caused by repeated failed authentication attempts from Aria Automation or other sources.

Resolution

Step 1: Review Aria Automation Logs

Log file:

/services-logs/prelude/provisioning-service-app/files-logs/provisioning-service-app.log

Sample error snippet:

provisioning-service-app/file-logs/provisioning-service-app.log: 
WARN provisioning [...] Failed to validate credentials. 
AdapterReference: http://provisioning-service.prelude.svc.cluster.local:8282/provisioning/nsxt/endpoint-config-adapter. 
Error: [403] [The credentials were incorrect or the account specified has been locked.]

Step 2: Review NSX-T Logs

If Aria Automation logs do not show the required information, the same can be validated from NSX-T Manager logs:

• /var/log/syslog

• /var/log/proton/nsxapi.log

Sample entries:

comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed
comp="nsx-manager" level="INFO" subcomp="http"] UserName="<Domain Account>" ModuleName="ACCESS_CONTROL", Operation="LOGIN", status="failure"
comp="nsx-manager" level="WARNING" subcomp="http"] Account "<Domain Account>" has been temporarily locked for 900 seconds after multiple failed login attempts
comp="nsx-manager" errorCode="MP403" level="ERROR" subcomp="http"] The credentials were incorrect or the account specified has been locked.

These logs confirm that the domain account is getting locked in Active Directory due to repeated failed login attempts.

Next Steps

• Engage the Active Directory team to identify the source of the account lockouts.

• Update the correct credentials wherever necessary.

• Once the password is corrected, and the account is unlocked, the issue should be resolved.