intermittent Login Failures to the NSX Manager using LDAP credentials
Article ID: 415235
Updated On:
Products
Issue/Introduction
Unable to authenticate any AD user
When attempting to login to the NSX Manager UI using a LDAP user account, login is sometimes successful and at other times fails.
LDAP user accounts fail to login to the cluster VIP or individual NSX Manager nodes
LDAPS (Secure LDAP) is being used to connect to the LDAPS servers
In /var/log/syslog
<Date><Time> <NSX Manager Hostname> NSX 3005 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Server certificate not allow-listed: CN=<Server_Name>,O=<Organization>,ST=<State>,C=<Country>
<Date><Time> <NSX Manager Hostname> NSX 3005 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] checkServerTrusted: CN=<Server_Name>,O=<Organization>,ST=<State>,C=<Country> for authType=UNKNOWN failed: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found
<Date><Time> <NSX Manager Hostname> NSX 3005 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed
<Date><Time> <NSX Manager Hostname> NSX 3005 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] Username="<LDAP_Username>", ModuleName='ACCESS_CONTROL", OPERATION="LOGIN". Operation status="failure"
Cause
The LDAPS server configured is using a DNS Name that resolves to more than 1 LDAP server. This will enable authetication request to be Round Robined among the LDAP servers. When attempting to authenticate to a LDAPS server and the certificate installed on the LDAPS server is not trusted by the NSX Manager, the authentication request will fail. The NSX manager will fail its connection to a LDAPS server due to a mismatch between the certificate information stored in NSX Manager and the active certificate on the LDAPS server.
Resolution
- Ensure the LDAPS certificate is a vaid certificate
- From NSX Manager root CLI run: "
openssl s_client -connect <LDAPS server FQDN or IP>:636 -showcerts"
- From NSX Manager root CLI run: "
- Confirm the LDAP servers configured in the identity source contains the retreived certificate details
- Check the certificate information from the output and compare it to the certificate information saved in NSX Manager. In the NSX Manager UI log in as admin, navigate to System > User Management > Authentication Providers > LDAP and expand the details for the LDAP Server.
- If the certificate in the NSX Manager LDAP Server configuration is different then the one retreived from the LDAPS server, update the certificate or else add an additional LDAP server configuration that matches the certificate retreived from the LDAPS server
- Certificates used by LDAPS server may be different so the number of LDAPS for an Identiy source may need multiple entries (LDAP Servers)
- Ensure that the AD user(s) from the LDAP Server is now able to log into NSX Manager successfully.
Additional Information
For additinal resourcces using LDAP (Active Directory) accounts to access the NSX Manager, please reference the following KB articles:
Active Directory users login to NSX Manager fails after changes to LDAP Server certificates.
VMware NSX LDAPS server connection not working POST upgrade to VMware NSX 4.1.X
Feedback
