• LDAP has been configured on NSX for role based access under System > User Management > Authentication Providers > LDAP
  
  Domain name is example<1>.com

• LDAP user is synched from the AD as user@example<2>.com and is mapped to an NSX role
• Login to NSX UI as user user@example<2>.com fails with the following error
  
  Your login attempt was not successful. The username/password combination is incorrect or the account specified has been locked
• In the NSX Manager log, /var/log/proxy/reverse-proxy.log, a warning similar to this example is observed
  
  <DATE>T14:08:37.773Z  WARN Processing request <ID> DelegatingLdapAuthProvider 74600 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Could not find a matching LDAP authentication provider for user UsernamePasswordAuthenticationToken [Principal=user@example<2>.com, Credentials=[PROTECTED], Authenticated=false, Details=WebAuthenticationDetails [RemoteIpAddress=<IP address>, SessionId=null], Granted Authorities=[]]. No LDAP identity sources with a domain_name or alternative_domain_name matching example<2>.com were found.
java.lang.NullPointerException: Cannot invoke "com.vmware.nsx.management.rp.security.ldap.LdapResourceConfig.getDomainName()" because the return value of "java.util.Map.get(Object)" is null

VMware NSX

When connecting to an AD forest comprised of multiple subdomains, NSX must have each subdomain configured to allow a user from that subdomain to login.

Edit the example<1>.com LDAP Identity source and add an alternative domain name

1. On NSX UI, System > User Management > Authentication Providers > LDAP, edit LDAP Identity Source
2. In the "Alternative Domain Names" field add the second domain e.g. example<2>.com and click Save
3. Login to the NSX UI

If no error is seen in the reverse-proxy logs around the time of login, consider changing the debugging level using this command on NSX manager in admin mode:

set service auth logging-level debug