REST API calls Using a vIDM user fail in NSX-T with the error "The credentials were incorrect or the account specified has been locked"
search cancel

REST API calls Using a vIDM user fail in NSX-T with the error "The credentials were incorrect or the account specified has been locked"

book

Article ID: 422180

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • In the NSX Manager, you may see the following error in /var/log/proxy/reverse-proxy.log: 
    <timestamp>  INFO Processing request ########-####-####-####-########## OAuth2AuthenticationProvider 420540 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Failed to use SAMAccountName, attempting UserPrincipleName: Invalid credentials
    <timestamp>  WARN Processing request ########-####-####-####-########## CustomOidcAuthorizationCodeAuthenticationProvider 420540 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed
    <timestamp>  INFO Processing request ########-####-####-####-########## NsxBasicAuthenticationFilter 420540 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Invalid credentials
    <timestamp> ERROR Processing request ########-####-####-####-########## NsxRestAuthenticationEntryPoint 420540 - [nsx@6876 comp="nsx-manager" errorCode="MP403" level="ERROR" subcomp="http"] The credentials were incorrect or the account specified has been locked

 

  • In the NSX Manager, you may see a 403 error in /var/log/proxy/envoy_access.log: 
    <timestamp> <Source_IP> <Dest_IP> "GET" "/api/v1/fabric/virtual-machines" "HTTP/1.1" 403 UAEX 0 141 184 - "<Source_IP>" "-" "########-####-####-####-##########" "<NSX_FQDN/IP>" "-"

     

  • The attempt to access with the same VIDM user over UI may fail with:

    AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.





  • Then /var/log/syslog reports the following error message: 
    <timestamp> <NSX Manager> NSX 4674 - [nsx@6876 comp="nsx-manager" level="WARNING" s2comp="notification" subcomp="monitoring"] Fail to send request.
     Exception: org.springframework.web.client.HttpServerErrorException$BadGateway with org.springframework.web.client.HttpServerErrorException$BadGateway: 502 Bad Gateway: "<html><EOL><EOL><head><title>502 Bad Gateway</title></head><EOL><EOL><body><EOL><EOL><center><h1>502 Bad Gateway</h1></center><EOL><EOL><hr><center>nginx</center><EOL><EOL></body><EOL><EOL></html><EOL><EOL>"
    nsx_log.txt (END)

Environment

NSX
VIDM

Cause

The NSX Manager cannot retrieve the correct user information from vIDM, and vIDM cannot retrieve the correct user information from Active Directory; therefore, the entire authentication process fails.

Resolution

On this occasion, it is necessary to engage the Active Directory team for further investigation of why the user is not capable of accessing the vIDM in the first place.

Powered by Wolken Software