Aria Operations for Networks (AON) is generating Invalid Credentials error for some NSX Managers
search cancel

Aria Operations for Networks (AON) is generating Invalid Credentials error for some NSX Managers

book

Article ID: 414743

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

After changing password of NSX managers Aria Operations for Networks (AON) is generating Invalid Credentials error.
Trying to edit data source and update correct credentials also does not help.



Collector logs show invalid credentials and HTTP 403.
ERROR dataprovider.utils.HttpUtils NSXT_####.com_Config_OpMgr-3 checkStatusAndThrow:41 API /api/session/create error response {"module_name":"common-service","error_message":"Authentication Failed: Invalid credentials","error_code":98}
Caused by: com.vnera.dataproviders.core.common.impl.dataprovider.utils.exceptions.HttpException: Status code returned: 403 : Forbidden : for uri : https://<nsx-manager>.com:443

NSX manager log shows that account used for adding datasource is locked because of consecutive failed attempts.
INFO Processing request 075af##-##-##-##-##ac1c AuthenticationBlacklistService 74750 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] User username@<collector-ip> login lockout expired
WARN Processing request e0e1##-##-##-##-##4c5d AuthenticationBlacklistService 74750 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Account username@<collector-ip> has been temporarily locked for ## seconds after ## consecutive failed login attempts.

Environment

VCF Operations for Networks
VMware NSX

Cause

User account is locked due to consecutive authentication failures, due to this AON is getting HTTP 403 response. For e.g., NSX is configured with default auth-policy lockout period set to 900 seconds. Due to this the account will be locked for 15 min after failed attempt and AON will not able to add NSX as data source even when trying with correct password.

Resolution

1. Check authentication policy lockout period for API in NSX manager.
nsxmanager> get auth-policy api lockout-period

2. Perform one of the following steps (a) or (b) -
(a) Delete data source in AON, wait for lockout period to expire and then add data source again. Or,
(b) Change the lockout period to a very small value (few seconds). Wait for initially configured value to expire (default 900 seconds), now add data source again.

Additional Information

Powered by Wolken Software