HTTP 500 Error When Assigning an Active Directory Group to the HCX Administrator Role in the HCX :9443 Client
Article ID: 417378
Updated On:
Products
Issue/Introduction
When attempting to assign an Active Directory (AD) user group to the HCX Administrator role within the HCX UI, the operation fails with the following banner error:
Http failure response for https://<HCX-Manager-FQDN>:9443/api/admin/global/config/roleMappings: 500 OK
Despite the “OK” status, the 500 response indicates that HCX could not process the request. The UI displays the error whenever an AD group from an external domain is entered directly into the “User Groups” field.
Environment
VMware HCX
Cause
This issue occurs when an Active Directory group from an external domain (e.g., corp.company.com) is added directly to the HCX Administrator role mapping.
HCX requires that all groups mapped to HCX roles exist under the vSphere.local identity source within vCenter.
In this environment, the AD group was already nested inside a vSphere.local group within vCenter. However, when the AD group was entered directly in the HCX UI, HCX could not validate it against the identity source hierarchy, resulting in an HTTP 500 error.
Resolution
To resolve the issue, map the vSphere.local group—not the external AD group—within the HCX UI.
-
In vCenter, verify that your AD group is already a member of a vSphere.local group (for example,
vsphere.local\Administratorsor a custom vSphere.local group). -
In the HCX UI, navigate to Administration → Configuration → Role Mapping.
-
For HCX Administrator, enter the vSphere.local group name that contains the AD group.
-
Click Save.
Once the vSphere.local group is used, the configuration is accepted, and all members of the nested AD group inherit HCX Administrator permissions and can successfully log in to the HCX UI and perform all administrator-level operations.
Additional Information
Please see the following resources:
Feedback
