vIDM authentication fails with Invalid Credentials for NSX-T added as data source
Article ID: 417698
Updated On:
Products
VCF Operations for Networks
Issue/Introduction
- Receiving "Invalid Credentials" error with NSX-T datasource in VCF Operations for Networks.
- vIDM is used an authentication method for NSX data source. This kind of authentication will intermittently fail.
- In collector logs /var/log/arkin/collector/collector.STDOUT-yyyy-mm-dd-hh.mm.ss.log.error:
INFO impl.dataprovider.AbstractDPOperationsManager DataProviderManager::healthCheck getHealthStatus:514 DPHealthStatus: dpId { dataProviderIdentifier: "NSXT_nsx_manager_fqdn" customerId: ##### DPTaskStatus { taskId='com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTLatencyStateWatcher' collectedDataType=CONFIG taskExecType=SCHEDULED isSuccess=false timestamp=xxxxxxxxxxx errorCode='INVALID_CREDENTIALS' errorMessage='com.vnera.dataproviders.core.common.impl.dataprovider.utils.exceptions.HttpException: Could not get response for /policy/api/v1/infra/sites/default/enforcement-points/default/transport-zones/xxxx-xxxx-xxxx-xxxx, status 403 at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkCodeAndThrow(HttpUtils.java:54) at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkStatusAndThrow(HttpUtils.java:34) at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkStatusAndThrow(HttpUtils.java:23) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTUtils.setPolicyTransportZones(NSXTUtils.java:1680) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.ManageNSXTPolicyLatencyTask.enableLatencyTransportZone(ManageNSXTPolicyLatencyTask.java:196) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.ManageNSXTPolicyLatencyTask.lambda_configureTransportZones_0(ManageNSXTPolicyLatencyTask.java:97) at java.base/java.util.concurrent.ConcurrentHashMap_KeySetView.forEach(ConcurrentHashMap.java:4706) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.ManageNSXTPolicyLatencyTask.lambda_configureTransportZones_1(ManageNSXTPolicyLatencyTask.java:82) at java.base/java.util.concurrent.ConcurrentHashMap_KeySetView.forEach(ConcurrentHashMap.java:4706) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.ManageNSXTPolicyLatencyTask.configureTransportZones(ManageNSXTPolicyLatencyTask.java:81) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTLatencyStateWatcher.process(NSXTLatencyStateWatcher.java:103) at com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTLatencyStateWatcher.doRun(NSXTLatencyStateWatcher.java:78) at com.vnera.dataproviders.core.common.impl.dataprovider.tasks.AbstractTask.run(AbstractTask.java:165) at com.vnera.dataproviders.tasker.Tasker_ScheduledTaskWrapper.run(Tasker.java:486) at com.google.common.util.concurrent.MoreExecutors_ScheduledListeningDecorator_NeverSuccessfulListenableFutureTask.run(MoreExecutors.java:678) at java.base/java.util.concurrent.Executors_RunnableAdapter.call(Executors.java:539) at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor_ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor_Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:840) ' taskData={timeTaken=2, healthMsgPayload=, healthMsgPayloadKey=NSX_LATENCY_STATUS} } INFO vmware.nsxt.NSXTDPOperationsManager_NSXTHealthStatusConverter DataProviderManager::healthCheck convertDPStatusToUnhealthyIfAnyTaskHasError:865 Task id: com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTLatencyStateWatcher INFO vmware.nsxt.NSXTDPOperationsManager_NSXTHealthStatusConverter DataProviderManager::healthCheck convertDPStatusToUnhealthyIfAnyTaskHasError:866 Task error code: INVALID_CREDENTIALS INFO vmware.nsxt.NSXTDPOperationsManager_NSXTHealthStatusConverter DataProviderManager::healthCheck convertDPStatusToUnhealthyIfAnyTaskHasError:892 Set health status as unhealthy for nsx: NSXT_nsx_manager_fqdn - Executing the same API call from the VCF Operations for Networks collector node using CURL to the NSX-T manager results in the "Invalid credentials" error , as seen below:
support@aria-networks-collector:~$ ub ubuntu@aria-networks-collector:~$ curl -ik --user Test_svcvrni--request GET https://###.###.#.#/api/v1/cluster/api-virtual-ip Enter host password for user ####_USERID_####: HTTP/1.1 403 Forbidden content-type: application/json content-length: 205 date: Wed, 18 Dec 2024 07:14:07 GMT { "error_code": 401, "error_message": "User is not authorized to perform this operation on the application. Please contact the system administrator to get access.", "module_name": "common-services"
NOTE: VCF Operations for Networks was formerly named Aria Operations for Networks (AON), and prior to that was named vRealize Network Insight (vRNI).
Environment
- VCF Operations for Networks
- VMware NSX
- VMware Identity Manager
Cause
Authentication failures occur because NSX cannot reliably retrieve user information from vIDM or Active Directory within the polling interval, leading to timeouts and account lockouts.
AD accounts via vIDM specifically trigger HTTP 403 errors during polling, leading to persistent account lockouts. This issue often surfaces as HTTP 403 Forbidden errors in collector logs
Resolution
Configure NSX manager data sources using local user account or principal identity authentication.
If credentials need to be changed, follow the workaround to resolve any issue with metrics not collecting after 2 hours post-change:
- Click on Settings >Accounts and datasource page.
- In the row for the NSX-T Manager data source for which metrics are not collecting, Toggle Data Collection "OFF" and then Toggle Data Collection "ON"
Additional Information
Per KB 388529 turning off and on the data source will force a reconnection when the validation has failed due to this issue.
Feedback
Yes
No
Powered by
