2nd party (vRA, vRNI, and vRO) integrations to NSX with vIDM service accounts failing authentication after NSX upgraded to 4.2.x.
search cancel

2nd party (vRA, vRNI, and vRO) integrations to NSX with vIDM service accounts failing authentication after NSX upgraded to 4.2.x.

book

Article ID: 408066

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX is integrated with vIDM for user authentication and users leveraged by products like vRNI are added to NSX as vIDM Users. 
  • User account authentication for NSX integrations from productions like vRNI fail with various errors such as "Invalid credentials" or "incorrect username or password". 

 

  • Issue may have started after an NSX upgrade to 4.2.x. 
  • NSX Manager nsxapi logs report failures are occurring due to account being locked out

2025-06-09T23:47:21.098Z [NSX Manager hostname] NSX 74660 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="[[email protected]]@10.###.##.21", ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="failure"
2025-06-09T23:52:26.987Z [NSX Manager hostname] NSX 74660 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="[[email protected]]@10.###.##.21", ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="failure"
2025-06-09T23:52:26.987Z [NSX Manager hostname] NSX 74660 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] User [[email protected]]@10.###.##.21 login lockout expired
2025-06-09T23:52:26.987Z [NSX Manager hostname] NSX 74660 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Account [[email protected]]@10.###.##.21 has been temporarily locked for 900 seconds after 20 consecutive failed login attempts.

  • The user accounts that are failing authorization can be successfully authenticated outside of the NSX auth workflow, for instance, directly to Active Directory. 

Environment

VMware NSX

Resolution

There is no known resolution as the cause for this issue is not fully understood. 

Workaround:

  • If it is not already configured, add the Active Directory that these users are part of as an LDAP Identity Source in NSX. 
  • Removed the user, currently added as a vIDM user, from NSX. 
  • Re-add the same user, but as an LDAP user, with the same role-binding as before. See Add Role Assignment or Principal Identity for more information. 
  • Attempt the same authorization workflow with this user, now added as an LDAP user. 
  • If the authorization of this user still fails as an LDAP user, or it is preferred that the user be added as a vIDM user, remove it again from NSX.
  • Re-add the same user, again as an vIDM user, with the same role-binding again.
  • Authentication for this user should begin working after 30 to 60 minutes has passed. 
Powered by Wolken Software